我在办公室电脑上看到一些黑客攻击企图。上周五,我的电脑突然重启了两次,当我登录时,我的一些重要文档不在那里。刚刚删除。因此,我检查了事件查看器以查找重新启动的原因。我收到了这些日志,我在日志上看到了某人的电脑名称。有人能向我解释一下吗?
谢谢!
Date:7/27/2012 Source:Security
Time:2.35.26 PM Category:Account Logon
Type:Success A Event ID:680
User:MyPC/Administrator
Computer: MyPC
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:Administrator
Source Workstation:OtherPC
Error Code:0x0
Date:7/27/2012 Source:Security
Time:2.35.26 PM Category:Logon/Logoff
Type:Success A Event ID:576
User:MyPC/Administrator
Computer: MyPC
Description:
Special privileges assigned to new logon:
User Name:Administrator
DOMAIN: MyPC
Logon ID: (0x0, 0x251E985)
Privileges:SeSecurityPrivilege
SeBackupPrivilege
...
Date:7/27/2012 Source:Security
Time:2.35.26 PM Category:Logon/Logoff
Type:Success A Event ID:540
User:MyPC/Administrator
Computer: MyPC
Description:
Successful Network Logon:
User Name:Administrator
DOMAIN: MyPC
Logon ID: (0x0, 0x251E985)
Logon Type:3
Logon Process:NtLmSsp
Authentication Package:NTLM
Workstation Name:OtherPC
Logon GUID:-
Caller User Name:-
Caller Domain:-
Caller Logon ID:-
Caller Process ID:-
Transited services:-
Source Network Address:192.168.x.x
Source Port:0
Date:7/27/2012 Source:Security
Time:2.35.26 PM Category:Logon/Logoff
Type:Success A Event ID:551
User:MyPC/Administrator
Computer: MyPC
Description:
User initiated logoff:
User Name:Administrator
DOMAIN: MyPC
Logon ID: (0x0, 0x2059c)
除了将计算机名称更改为"MyPC"one_answers"OtherPC"之外,您是否以其他方式编辑了这些日志?例如,在事件查看器中,Source应该是"Security",而不是"Secirity"。这让我怀疑这些日志的有效性。
在任何情况下,事件ID 540都是从OtherPC到您的计算机的远程连接。给定OtherPC的IP地址,它似乎在您的网络中。你有访问OtherPC的权限吗?你能给我们其他PC的事件查看器日志吗?
总而言之,这里没有什么地方看起来太乱。第一个和最后一个日志是标准的登录和注销日志。第二个通常在登录日志之后。如果没有更多的信息,我们就无法对第三种情况有更多的了解。