 |
 |
Troy, > Is it using the same account each time to login? Is it a local or domain > account? I only have the one incident on Friday morning, logging in to my account. The computer was not doing any logging at all until I turned it on Tuesday 13 Dec, so I don't have any logs before that. I also put up a better firewall then. All was well Thursday at 6p, then Friday morning I discovered the latest breakin with the single successful console logon to my account at 3:37a. They logged out at 3:58a, and in between installed DameWare NT utilities, then uninstalled them. It's a local account -- I'm not smart enough to run a domain <g>. Here's my theory for you all to poke holes in: - It's someone who has keys to get in. - They prefer to work from home and break in to the office only when needed. - The new firewall shut them out, so they broke into the office. They already had my password, they used it to logon and get rid of the firewall, and then they quickly got out. - Now I changed my password, and they are trying to guess the new password through network login attempts (this is all in the security log) so that they don't come in until they have a confirmed good logon accout to use (that is, unless they're willing to boot up using their own disk). Of course, I could be way off and this is still just your ordinary network intrusion. But I still don't have any other good explanation of that logon type 2. Thanks to everyone, -- David