I agree, Looks like it got owned, if it's a rootkit, you cant trust those logs anyways.
DBAN baby and reload.. Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP,Security+,Network+,CCA Phone: 401-639-3505 -----Original Message----- From: James Winzenz [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2008 3:38 PM To: NT System Admin Issues Subject: RE: Unknown account created and added to local admins group Yeah - time to wipe and reload . . . Thanks, James Winzenz Infrastructure Systems Engineer II - Security Pulte Homes Information Services -----Original Message----- From: Phil Brutsche [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2008 12:17 PM To: NT System Admin Issues Subject: Re: Unknown account created and added to local admins group I bet that's what the event log would look like if a rootkit running as SYSTEM added local administrator accounts... Clubber Lang wrote: > Thanks, James. Yeah, the user was the same for all events: NT > AUTHORITY\SYSTEM > > 624 - User Account Created - 9:19:13 AM > 626 - User Account Enabled - 9:19:13 AM > 642 - User Account Changed - 9:19:13 AM > 628 - User Account Password Set - 9:19:13 AM > 636 - Security Enabled Local Group Member Added - 9:19:14 AM > 637 - Security Enabled Local Group Member Removed - 9:21:28 AM > 633 - Security Enabled Global Group Member Removed - 9:21:28 AM > 630 - User Account Deleted - 9:21:28 AM -- Phil Brutsche [EMAIL PROTECTED] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by email and delete the message and any file attachments from your computer. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
