(Finally back at my internship! Long story which I should attempt to write down here sometime. For the moment, I'm going over the security breach rundown.)
- October 21st: Admin log on attempt showed NT5CLIENT as the last log on, which is not an authorized log on. Creation check and check with other users indicated that NT5CLIENT was created over the weekend. Further checks through the Microsoft Knowledge Base did not indicate this to be an automatically generated log on for system self-administration purposes. Checks to find other files modified during that period yielded a batch and several others, but modified files went back to the 20th, the Friday before that Saturday. This would imply that the actual breach occurred Friday and logs were wiped to prevent indications of the access.
- More later...
