On one of our public facing servers the Administrator account logged in at 6:45am GMT. It wasn't a member of staff.
Details from the event logs
1st event
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Administrator
2nd event
Logon attempt using explicit credentials:
Logged on user:
User Name: S15252541$
Domain: WGS15252973
Logon ID: (0x0,0x3E7)
Logon GUID: -
User whose credentials were used:
Target User Name: Administrator
Target Domain: S15252541
Target Logon GUID: -
Target Server Name: localhost
3rd event
Successful Logon:
User Name: Administrator
Domain: S15252541
Logon ID: (0x0,0x73837CF)
Logon Type: 4
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: S15252541
Logon GUID: -
Caller User Name: S15252541$
Caller Domain: WGS15252541
4th event
Special privileges assigned to new logon:
User Name: Administrator
Domain: S15252541
Logon ID: (0x0,0x73837CF)
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
5th event
User Logoff:
User Name: Administrator
Domain: S15252541
Logon ID: (0x0,0x73837CF)
Logon Type: 4
I've changed the Administrator password as a precaution, should I do anything else or am I worrying unceasingly?
p.s. This isn't an April fools
Have a look at this question over on security stack exchange. It gives some good guidance.
General advice would be to assume it is compromised, as an attacker could have wiped logs, installed backdoors etc. so unplug it, think about whether you plan to conduct a forensic analysis and take a copy if so, wipe it and rebuild from backups.