Troy,
> Is it using the same account each time to login? Is it a local or domain
> account?
I only have the one incident on Friday morning, logging in to my account.
The computer was not doing any logging at all until I turned it on Tuesday
13 Dec, so I don't have any logs before that. I also put up a better
firewall then. All was well Thursday at 6p, then Friday morning I
discovered the latest breakin with the single successful console logon to my
account at 3:37a. They logged out at 3:58a, and in between installed
DameWare NT utilities, then uninstalled them.
It's a local account -- I'm not smart enough to run a domain <g>.
Here's my theory for you all to poke holes in:
- It's someone who has keys to get in.
- They prefer to work from home and break in to the office only when needed.
- The new firewall shut them out, so they broke into the office. They
already had my password, they used it to logon and get rid of the firewall,
and then they quickly got out.
- Now I changed my password, and they are trying to guess the new password
through network login attempts (this is all in the security log) so that
they don't come in until they have a confirmed good logon accout to use
(that is, unless they're willing to boot up using their own disk).
Of course, I could be way off and this is still just your ordinary network
intrusion. But I still don't have any other good explanation of that logon
type 2.
Thanks to everyone,
-- David
|