Let's not get carried away with talk of a "rootkit" here. It could be a compromise. But rootkits are there to change the behaviour of the Windows kernel (hence "root" kit). For all we know, this is just a process running as LocalSystem (e.g. any number of services) that performed the changes. Still looks like a compromise.
Cheers Ken > -----Original Message----- > From: Phil Brutsche [mailto:[EMAIL PROTECTED] > Sent: Thursday, 30 October 2008 6:17 AM > To: NT System Admin Issues > Subject: Re: Unknown account created and added to local admins group > > I bet that's what the event log would look like if a rootkit running as > SYSTEM added local administrator accounts... > > Clubber Lang wrote: > > Thanks, James. Yeah, the user was the same for all events: NT > > AUTHORITY\SYSTEM > > > > 624 - User Account Created - 9:19:13 AM > > 626 - User Account Enabled - 9:19:13 AM > > 642 - User Account Changed - 9:19:13 AM > > 628 - User Account Password Set - 9:19:13 AM > > 636 - Security Enabled Local Group Member Added - 9:19:14 AM > > 637 - Security Enabled Local Group Member Removed - 9:21:28 AM > > 633 - Security Enabled Global Group Member Removed - 9:21:28 AM > > 630 - User Account Deleted - 9:21:28 AM > > -- > > Phil Brutsche > [EMAIL PROTECTED] > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
