I've been watching my security logs, security settings etc. for some time as I suspected I was being hacked. Yesterday I noticed some of the security settings had been changed so I put them as I thought they should be, including disabling use of a smart card.
Today, I find that the user rights assignments have all been completely changed, to such a degree that it appears a template was inserted. Every single right has this ''name" and many variations of it assigned to it: *S-1-5-21-823518204-1078145449-725345543-1006
I have attached the exported file concerned.
How can I undo this and have sole administrative control over this computer again?
It is a Windows 2000.
Unfortunately, I know enough to know someone's messing with things, but not enough to know how to fix it/catch them.
Thank you so much for your help.
Full Version: Being Hacked
hello Shooefly ( dang if I don't love that pie)What type of connection is this Cable etc, wired or wireless...
Do you have a firewall and or a router?
What are your Antivirus and spyware tools.
It does appear to be a hack. That said you Would be best served to keep this PC disconnected from the internet til fixed. Consider any Passwords or financial info stored within to be compromised.
I am looking further into this so in the meantime please provide requested info.
Dear Boopme:
Thank you for your offer to help! I'm only on every few days as I have to fight my kids for internet time.
The computer in question had only AVG free, which I uninstalled and downloaded F-secure. It found nothing.
I can't even find the Windows firewall on this Windows 2000, sp 4.
There has been detailed tracking going on inside the computer logs ever since it was given to my children (after I poked around and set up the logging that is--when it came, event logging was not even turned on).
I want to find out who is doing this, but I can't even find Windows firewall in it via control panel or via a search. I will have to install Norton's firewall from Rogers (we have rogers high-speed lite cable); I know you can do Netstat -a or something but I don't quite know how.
I am attaching the detailed tracking in the event logs...after I made changes to the user rights/security and services permissions there were a whole lot of failed access attempts...but now I can't find that one, maybe it's mislabelled. Had to break it into parts, as it was to big to upload. I also have the .evt files but I don't know how to break those up and make them small enough. Could try to zip them later I guess.
I think I've answered all of your questions now, if not I'll be back.
Thanks again for your help!
And I like the quote at the bottom of your post, by the way. That's one of my favorite books!!
Thank you for your offer to help! I'm only on every few days as I have to fight my kids for internet time.
The computer in question had only AVG free, which I uninstalled and downloaded F-secure. It found nothing.
I can't even find the Windows firewall on this Windows 2000, sp 4.
There has been detailed tracking going on inside the computer logs ever since it was given to my children (after I poked around and set up the logging that is--when it came, event logging was not even turned on).
I want to find out who is doing this, but I can't even find Windows firewall in it via control panel or via a search. I will have to install Norton's firewall from Rogers (we have rogers high-speed lite cable); I know you can do Netstat -a or something but I don't quite know how.
I am attaching the detailed tracking in the event logs...after I made changes to the user rights/security and services permissions there were a whole lot of failed access attempts...but now I can't find that one, maybe it's mislabelled. Had to break it into parts, as it was to big to upload. I also have the .evt files but I don't know how to break those up and make them small enough. Could try to zip them later I guess.
I think I've answered all of your questions now, if not I'll be back.
Thanks again for your help!
And I like the quote at the bottom of your post, by the way. That's one of my favorite books!!
QUOTE(boopme @ Jan 13 2008, 10:03 PM) 
hello Shooefly ( dang if I don't love that pie)What type of connection is this Cable etc, wired or wireless...
Do you have a firewall and or a router?...
Hello Boopme,
I think I replied in the wrong place and it won't notify you so here's a little note....thank you for offering to help. I posted a reply in the thread under your message
Download psgetsid from here
Unzip the file and copy to Windows\system32
Open command prompt
psgetsid [Your account name here]
compare the bit between the S-1-5- and the last group of digits.
Reply, stating whether they're the same or not. If they're different, DO NOT POST THE FULL NUMBER, just reply and say that the numbers don't match.
Unzip the file and copy to Windows\system32
Open command prompt
psgetsid [Your account name here]
compare the bit between the S-1-5- and the last group of digits.
Reply, stating whether they're the same or not. If they're different, DO NOT POST THE FULL NUMBER, just reply and say that the numbers don't match.
Hi Tom,
Thank you for your help. I downloaded and attempted to copy it into Winnt/system 32 and it said there was one there already, modified in 2000. So I tried to use command prompt with the existing one, but it won't work...keeps saying "error querying account: no mapping between account names and security ID's was done."
I typed at the command prompt, psgetsid [USER-blahblahblahlettersandnumbersblah\Family] and that didn't work, so I tried just [Family] and that didn't work either...took out the space in front of bracket too, with no luck. 'Family' user account has administrator privileges.
Should I copy the downloaded file over the old one and try that? Or should the old one have been good enough?
Thanks.
Thank you for your help. I downloaded and attempted to copy it into Winnt/system 32 and it said there was one there already, modified in 2000. So I tried to use command prompt with the existing one, but it won't work...keeps saying "error querying account: no mapping between account names and security ID's was done."
I typed at the command prompt, psgetsid [USER-blahblahblahlettersandnumbersblah\Family] and that didn't work, so I tried just [Family] and that didn't work either...took out the space in front of bracket too, with no luck. 'Family' user account has administrator privileges.
Should I copy the downloaded file over the old one and try that? Or should the old one have been good enough?
Thanks.
Sorry, the brackets were just there to show that that text should be replaced.
Try:
psgetsid Family
and then follow the previous instructions.
Try:
psgetsid Family
and then follow the previous instructions.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.