funkyfinger
asked on
Hacker?
Hello,
I believe that there is an ex-employee trying to hack into our computer system. I need some help reading log files and deciding if the error message really is coming from a hacker.
I use the word "hacker" loosely I believe that the hacker is extremely dim-witted, I'm sure that her/his only skill would be to download a pre-made script and enter an IP address. I believe that the script is using this vunerability: http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx
In the IIS log file I found these entrys listed after the employee left the company and after the employees password was changed:
2004-09-08 16:36:20 192.168.0.125 COMPUTERNAME\exemployeeuse
2004-09-08 16:36:20 192.168.0.125 COMPUTERNAME\exemployeeuse
I have changed our computer name to COMPUTER name and the employee's user handle to exemployeeusername, other than that these two line appear exactly as they do on the IIS log.
I'm not really worried about the data or gaining access to the system, the network here has changed 100% since this employee left and the data he/she would most likely try to get/destroy in not obtainable also everything on this network is backed up regularly. I am more interested in proving that this person did indeed try to connect to our system.
My question is, what was the employee trying to access? Was the attempt successful? What futher actions should I take to stop the hacker in the future.
I believe that there is an ex-employee trying to hack into our computer system. I need some help reading log files and deciding if the error message really is coming from a hacker.
I use the word "hacker" loosely I believe that the hacker is extremely dim-witted, I'm sure that her/his only skill would be to download a pre-made script and enter an IP address. I believe that the script is using this vunerability: http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx
In the IIS log file I found these entrys listed after the employee left the company and after the employees password was changed:
2004-09-08 16:36:20 192.168.0.125 COMPUTERNAME\exemployeeuse
2004-09-08 16:36:20 192.168.0.125 COMPUTERNAME\exemployeeuse
I have changed our computer name to COMPUTER name and the employee's user handle to exemployeeusername, other than that these two line appear exactly as they do on the IIS log.
I'm not really worried about the data or gaining access to the system, the network here has changed 100% since this employee left and the data he/she would most likely try to get/destroy in not obtainable also everything on this network is backed up regularly. I am more interested in proving that this person did indeed try to connect to our system.
My question is, what was the employee trying to access? Was the attempt successful? What futher actions should I take to stop the hacker in the future.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.