Help! EventLog question at work

TechnicalJay

Hi Guys,

I was off for the weekend and had yesterday off as it was a Holiday here in Canada. I got into work today and my account was logged in. I might have forgot to log off on Friday but I'm 99% sure I did. I have no clue about the Event Viewer but I noticed that there were logs under the security section saying

Special privileges assigned to new logon
An account was successfully logged on.

This was at almost 1AM Aug2!!
There are also multiple times such as 12:55am, 12:45am, 12:00am etc all saying special logon, logoff, logon

My account was also changed on windows to Database admin. I have MySQL installed on my computer and the first thing I noticed when I got into work today was a CMD prompt about MySQL saying MySQL running in community mode and then something about remote connection failed. I do have remote connection turned off on this computer.

There are cleaners that come around the office when people are gone. Is this a possibility that a cleaner was messing around with my computer? I don't understand how anyone could have my password though and log off and on.

Any input would be helpful.

Thanks

Ertaz

TechnicalJay wrote: »

Hi Guys,

I was off for the weekend and had yesterday off as it was a Holiday here in Canada. I got into work today and my account was logged in. I might have forgot to log off on Friday but I'm 99% sure I did. I have no clue about the Event Viewer but I noticed that there were logs under the security section saying

Special privileges assigned to new logon
An account was successfully logged on.

This was at almost 1AM Aug2!!
There are also multiple times such as 12:55am, 12:45am, 12:00am etc all saying special logon, logoff, logon

My account was also changed on windows to Database admin. I have MySQL installed on my computer and the first thing I noticed when I got into work today was a CMD prompt about MySQL saying MySQL running in community mode and then something about remote connection failed. I do have remote connection turned off on this computer.

There are cleaners that come around the office when people are gone. Is this a possibility that a cleaner was messing around with my computer? I don't understand how anyone could have my password though and log off and on.

Any input would be helpful.

Thanks

Step 1. Notify your organization's incident response team. Always err on the side of caution.

cyberguypr

As an incident responder I cane here to say exactly this. If you see a dead body you don't play forensic examiner, you call in the pros before it's too late.

TechnicalJay

I let my boss know (He's off today) and I let security know as well as you need a keycard to enter the area. But does this mean someone actually logged onto the computer?

Clm

TechnicalJay wrote: »

I let my boss know (He's off today) and I let security know as well as you need a keycard to enter the area. But does this mean someone actually logged onto the computer?

It could be multiple things but wont know until the logs are reviewed

cyberguypr

None of us are in a position to determine that.

TechnicalJay

Okay thanks guys. I definitely don't understand this. It's saying Audit Successful for logon/logoff/special logon 20 minutes ago also and I haven't logged off/logged on and my computer hasn't been asleep etc. Maybe I just forgot to log off and am over reacting.

ankurjoshi

Simultaneous occurrence of following event means someone with admin privilege has logged on to your system.
Special privileges assigned to new logon
An account was successfully logged on.

Once someone with such privilege logs in, he/she can also change user settings. This might have caused change in your user profile to database admin.