在我们的一个面向公众的服务器上,管理员帐户于格林威治标准时间上午 6:45 登录。这不是一名工作人员。
事件日志的详细信息
1st event
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Administrator
2nd event
Logon attempt using explicit credentials:
Logged on user:
User Name: S15252541$
Domain: WGS15252973
Logon ID: (0x0,0x3E7)
Logon GUID: -
User whose credentials were used:
Target User Name: Administrator
Target Domain: S15252541
Target Logon GUID: -
Target Server Name: localhost
3rd event
Successful Logon:
User Name: Administrator
Domain: S15252541
Logon ID: (0x0,0x73837CF)
Logon Type: 4
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: S15252541
Logon GUID: -
Caller User Name: S15252541$
Caller Domain: WGS15252541
4th event
Special privileges assigned to new logon:
User Name: Administrator
Domain: S15252541
Logon ID: (0x0,0x73837CF)
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
5th event
User Logoff:
User Name: Administrator
Domain: S15252541
Logon ID: (0x0,0x73837CF)
Logon Type: 4
我已经更改了管理员密码以防万一,我还应该做什么吗,还是我一直在担心?
这不是愚人节
答案1
看一下安全堆栈交换上的这个问题。它提供了一些很好的指导。
一般建议是假设它已被破坏,因为攻击者可能已经擦除日志、安装了后门等,因此拔掉它,考虑是否计划进行法医分析并复制一份,如果是的话,擦除它并从备份中重建。