Investigating a Windows hack
Hi,
One of our domain controllers appears to have been accessed without authorisation and I would welcome any resources you can point me to or guidance about investigating exactly to what extent we have been compromised.
We have locked down inbound and outbound access to the server network whilst we investigate.
I can see that our SAM appears to have been dumped and some files added as services, so assume that there is a rootkit at least. These are 2012 DC's so surprised that this has happened. I thought things were pretty tight from a security standpoint.
This follows on from a Shellshock exploit and so the two may be linked somehow.
Any pointers you can give me would be much appreciated.
Jon
One of our domain controllers appears to have been accessed without authorisation and I would welcome any resources you can point me to or guidance about investigating exactly to what extent we have been compromised.
We have locked down inbound and outbound access to the server network whilst we investigate.
I can see that our SAM appears to have been dumped and some files added as services, so assume that there is a rootkit at least. These are 2012 DC's so surprised that this has happened. I thought things were pretty tight from a security standpoint.
This follows on from a Shellshock exploit and so the two may be linked somehow.
Any pointers you can give me would be much appreciated.
Jon
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Dave,
Yes, I appreciate that Shellshock does not directly affect these machines, but given that it did allow someone to compromise some of our Linux boxes, it is highly likely that this was then the jumping off point into the Windows network.
Jon
Yes, I appreciate that Shellshock does not directly affect these machines, but given that it did allow someone to compromise some of our Linux boxes, it is highly likely that this was then the jumping off point into the Windows network.
Jon
ASKER
Hi Lee,
Thanks for the suggestions. We are currently auditing all accounts and planning a password change before anything is allowed online again.
The concern is that one other DC also shows remote registry access and the only other DC we have is an older version of Windows and so cannot be promoted.
Jon
Thanks for the suggestions. We are currently auditing all accounts and planning a password change before anything is allowed online again.
The concern is that one other DC also shows remote registry access and the only other DC we have is an older version of Windows and so cannot be promoted.
Jon
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK - my mistake. Thanks.
Any resources for forensics to get to the bottom of anything else that may have been compromised?
Any resources for forensics to get to the bottom of anything else that may have been compromised?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
btan just nipped in at the eleventh hour and stole some of the points. Great information both.
ASKER
I have another question about the FSMO role thing if you want to have a look at that?
https://www.experts-exchange.com/questions/28539455/Introducing-restored-Domain-Controller-into-environment.html
https://www.experts-exchange.com/questions/28539455/Introducing-restored-Domain-Controller-into-environment.html
ASKER
(amended to include the link!)
http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29