was i compramised

setup: WinXp with apache 1.3.xx
i was browsing my drives and checking the permissions on them when i stumbled accross one of my drives that had my web server on it (not c:\), and i saw a user without any permissions on it but "special permissions" box was checked. it wasnt very easy to remove the use. the user name was a long string of alpha numeric symbols( s-1-5-21-746137067................so on). took me a while but i removed it and redid the permissions for the whole drive and reinstalled the web server. my apache log had an ip address doing somethings to me, it "snooped" around and browsed that drive and setting permissions on other folders. im going thru allll my drives and checking the permissions.
can anyone tell me what was going on.

Did the rights look like this ?:



My bet is that you reinstalled windows on the system drive after the other drive was setup, no?

The rights you are seeing are from the old install of windows, the new install doesn't know what to do with them and that is what you get...as far as a weird IP "snooping" it could be coincidence.

what i did was installed xp on a system that had a bunch of FAT32 drive in it already. formated andinstalled windows on c:\ and converted the other drives to ntfs. the system had xp on it b4 the reinstall. but y was the "user" only in some folders and not others.
it thats all it is, i'll be a monkeys uncle. paranoid i guess. just been to a network security meeting.
thnx alot man/woman

Some more info for you:

The format of a SID for a user or group:

S-R-X-D-M1-M2-M3-RID

where:

The letter S which indicates that the value is a SID
R is the revision level
X is the identifier authority value
D is the domain identifier.
M1, M2, and M3 are the 96 bit unique machine identifier, in three 32 bit sections
RID is the RID of the user or group

Example: S-1-5-21-693639521-1140461025-475923621-1003.

This SID has

Revision level 1
Identifier authority 5, which is Windows NT
Domain identifier 21
The machine SID 693639521-1140461025-475923621 which was generated when the Windows NT was installed on the computer.

The relative identifier 1003, which corresponds to Restricted Users on the local computer.

So, the three long sections are a machine identifier. That may be why windows didn't recongnize it. Open regedit and go to HKEY_USERS. You should see some SIDs there. If the machine indentifier in the registry is different than what you saw in the permissions that that is what happened. Removing those rights shouldn't cause a problem.

all removed. thnx
damn, where u get those info? not bad.

If you create a user, give them permissions somewhere, then delete them, it will show their SID because the system is no longer able to resolve it to their username (because it was deleted).

On a domain, if you can't connect to a domain controller for some reason, it won't be able to resolve them even though the user still exists.