| Steve Smith 2006-05-04, 1:15 pm |
| I'm sorry if this is long. Viewing the log file for my web site running on
IIS 5.1 for 5/3/06 I found a visit from a hacker with the internal address
of one of the other computers on my network. The network is behind an
Actiontec gateway which was set on NAT only and the firewall was not set on
this particular computer. (Mea culpa). Viewing the Security Event Log for
this computer I found the visit logged as "5/3/2006 2:09:12 Success,
Audit, Security, System Event 515, User=System". Going to the details, I
find, "Log on process name = KSecDD, User= NT Authority\System, Event
ID=515, Category=System Event, Success A, SE_AUDITID_ID_LOGON_PROC_REGISTER,
Log on Process Name = %1". I got this by going to
http://go.microsoft.com/fwlink/events.asp . It tells me "A trusted logon
process has registered with the Local Security Authority. This logon process
will be trusted to submit logon requests".
If I understand this correctly, the hacker is now a trusted user who can log
on to my network at any time from any place. Is this correct? And if so,
what can I do to remove this hacker from the "trusted user" list? Thanks for
your reply.
P.S. The hacker did no harm (so far). He did an OPTIONS / and then a
PROPFIND / (filename) for a non-existent file. Then he left. But he may be
back.
|