Catch a hacker?

[RichK]

Where i work we have a certain person who has figured out
the Admin network password. So this user gets on and
makes some minor changes to the server that cause me
problems on the break fix level. I suggested to the
network guys to check the Event Viewer and see when the
admin signon signed on last and so on. We have a log of
when the person did sign on, but for some reason the
network guys didnt have it track the PC name or
anything. Is there a way to setup an alert that when the
Admin signon is used again that it will send a message to
one of the network Admins telling them which PC the user
is at exactly or 5 secs from when the user signs on?

Thanks for your help,
Rich

 

[Keith W. McCammon]

Anyone think to change the admin password, and audit existing accounts to
ensure that they're legitimate?

Simple auditing should tell you when someone logs on, and from which system.
But as long as you're letting this clown run around, he/she could just as
easily disable the audit policy entries.

You have a nice management mess on your hands.

 

[Rich K]

I believe they have changed the password, but we want to
catch the lil bastard.

I don't know about the audit part though. I will ask the
network guys.

Thanks though,
Rich

 

[Jeff Cochran]

Where i work we have a certain person who has figured out
the Admin network password. So this user gets on and
makes some minor changes to the server that cause me
problems on the break fix level. I suggested to the
network guys to check the Event Viewer and see when the
admin signon signed on last and so on. We have a log of
when the person did sign on, but for some reason the
network guys didnt have it track the PC name or
anything. Is there a way to setup an alert that when the
Admin signon is used again that it will send a message to
one of the network Admins telling them which PC the user
is at exactly or 5 secs from when the user signs on?

Okay, why haven't you or the "network guys" been smart enough to
change the freakin' password?

Your answer is auditing, both successful and unsuccesful logon events.

Jeff

 

[Steven L Umbach]

Auditing of logon events should show the name of the pc [if it from the lan] which
may or may not help depending if this is an authorized computer on the network that
you know the location to. I will leave a link for auditing, but you also need to
review your password policy which includes logging onto only trusted network
computers with domain administrator accounts as it is very easy to install keyboard
loggers, cameras, etc on the network. There is no built in way to get an alert as you
want, though there are third party tools that may be able to do such. --- Steve

http://www.microsoft.com/technet/tr...curity/prodtech/win2000/secwin2k/09detect.asp

 

[Rich]

We did geniusboy - i just wanted to know of something for
the future. A preventative tool, but thanks.

 

[Keith W. McCammon]

Was that really necessary?

 

[Keith W. McCammon]

One thing you could do is dump the DC event logs to a database (if you don't
already), and write a simple script to grep the log for an admin logon and
generate an e-mail. Should be easy enough with some Perl, VB, etc.

 

[Rich]

Yes, unfortunatley i think it was. He insulted my
intillegence with his comment. I do appreciate your
help though. I just don't think its necessary for his
remarks when i come on here asking for help.

 

[Jeff Cochran]

We did geniusboy - i just wanted to know of something for
the future. A preventative tool, but thanks.

Sorry if I was denigrating, but here's the deal. Your post said you
wanted to know if when the admin signon was used again, could it send
a message within 5 seconds of the user signing on. The kicker is --
IF YOU CHANGED THE PASSWORD HE CAN'T SIGN ON!

Yes, shouting at you. From your post, it was pretty clear you
*hadn't* changed the password, whether you meant it that way or not.
In addition, your other post says "I believe they have changed the
password, but we want to catch the lil bastard." Here you tell *me*
the password has been changed, but in a post to someone else you
"believe" it has been changed.

At any rate, use auditing. You should always audit login failures if
not successful logins.

Good luck.

Jeff

 

[Jim Carlock]

If the guy set himself up as Administrator because he has the
password, changing the password is only one thing that needs to
be done. He could still be grouped with the Administrators,
Domain Administrators, Enterprise Administrators, etc.

;-) Geniusboy!

--
Jim Carlock
http://www.microcosmotalk.com/
Post replies to the newsgroup.

We did geniusboy - i just wanted to know of something for
the future. A preventative tool, but thanks.

Sorry if I was denigrating, but here's the deal. Your post said you
wanted to know if when the admin signon was used again, could it send
a message within 5 seconds of the user signing on. The kicker is --
IF YOU CHANGED THE PASSWORD HE CAN'T SIGN ON!

Yes, shouting at you. From your post, it was pretty clear you
*hadn't* changed the password, whether you meant it that way or not.
In addition, your other post says "I believe they have changed the
password, but we want to catch the lil bastard." Here you tell *me*
the password has been changed, but in a post to someone else you
"believe" it has been changed.

At any rate, use auditing. You should always audit login failures if
not successful logins.

Good luck.

Jeff

 

[Jim Carlock]

He'll also want to make sure Everyone doesn't have access to
Everything, as well as make sure the appropriate permissions are
set up within the registry, and recreate all the users.

Then the thing that probably gave the password away is probably
still there and no matter how many times you change the password
someone has the tool to reveal the password. It's free and is only
about 40k in size.

--
Jim Carlock
http://www.microcosmotalk.com/
Post replies to the newsgroup.

We did geniusboy - i just wanted to know of something for
the future. A preventative tool, but thanks.

Sorry if I was denigrating, but here's the deal. Your post said you
wanted to know if when the admin signon was used again, could it send
a message within 5 seconds of the user signing on. The kicker is --
IF YOU CHANGED THE PASSWORD HE CAN'T SIGN ON!

Yes, shouting at you. From your post, it was pretty clear you
*hadn't* changed the password, whether you meant it that way or not.
In addition, your other post says "I believe they have changed the
password, but we want to catch the lil bastard." Here you tell *me*
the password has been changed, but in a post to someone else you
"believe" it has been changed.

At any rate, use auditing. You should always audit login failures if
not successful logins.

Good luck.

Jeff

 

[Jeff Cochran]

If the guy set himself up as Administrator because he has the
password, changing the password is only one thing that needs to
be done. He could still be grouped with the Administrators,
Domain Administrators, Enterprise Administrators, etc.

And you were obviously smart enough to check this, correct?

Look, you keep coming back with ways the person could still be
circumventing the system security. Stop trying to prove you're smart
by telling me what may still be an issue, and prove you're both smart
*and* competent and start hunting these things down and securing them.


I'm assuming you're already auditing logons, and that you either have
or shortly will check the administrator's group for accounts that
shouldn't belong. If it were me and I suspected a single individual,
I'd enumerate all the groups that individual's account belonged to,
I'd enumerate the accounts and validate them against a list of what
accounts are supposed to exist, I'd change all administrator passwords
(actually, this should always be done on a regular basis anyway) and
enforce complex passwords. I'd expire user passwords and force
changes at next logon or within a short time frame, I'd audit account
changes in addition to logons, and I'd start an audit trail of this
user's activities. I might put a sniffer on the network to trace his
activity, and I'd make use of syslog, IDS, proxy and firewall logs
relating to this account. Depending on your company's policies, you
might also use keyloggers or remote observation tools to watch for
suspicious activity.

One thing I would already have done is stop using the administrator
account to administer the network, renamed it and created a standard
user account called Administrator with a long complex password and
Deny on all rights. It's easier to audit if there's never any
legitimate use.

;-) Geniusboy!

I'm not sure I qualify for the boy part...

Jeff

 

[J-P Roberts]

Hey, don't pick on Jim - it's not his network! ;-)

 

[Jeff Cochran]

Hey, don't pick on Jim - it's not his network! ;-)

Crap. Okay, for that I *am* a dumbass. Gotta learn to read one of
these days...

Jeff

 

[Guest]

Okay, here is what I would do
1) Create a new administrator user and assign it all the proper credential
2) Remove the Amin account from the administrators grou
3) Write a log-on script for the admin account to do whatever you want (send email with an ipconfig dump would get you everything you need) (unless he's just authenticating and not loggin on, if this is the case #2 will keep him from doing any damage and he'll get frustrated and try to logon
4) Seriously consider redeploying the systems he has been on, they are tainted. You must assume he has planted back doors, trojans, keyloggers, and other mischief
5) If this is a domain environemnt, do a full-scale user/group audit. He has definitely given himself a hidden admin account. (which he is probably using instead
6) Check your server file permissions, make sure he didn't get access to your physical password files to do a brute forc
7) If not already in place, implement a password complexity policy to prevent brute force attacks