trace windows 2000 terminal services token across internet to catch intruder

Posted on 2005-05-09
Last Modified: 2010-04-14
Hi, I had someone get into our windows 2000 server and delete some files.  This person did it via terminal services.  He(she) had a printer on their local computer that did not get automatically configured so it logged an error in the event log.  This gave me the person's computer name and date and time of the intrusion.  It also gave their computer a token from the terminal services licensing with exact date and time of issuance.

Here is some backgound:  The office administrator brought in an outside company to do a system audit and propose new hardware and software.  The office administrator gave the system administrator password to at least 2 of this outside company's employees.  The person who hacked into our system knew which folders to delete in our various applications, so they had a working knowledge of our system, but they did not wipe out everything.  I think they were mad because we did not go with their solution.  I was able to restore the missing files and change the administrator password.  Yes, it would have been better if I had changed the administrator password right away, but I did not know about it.

The company would like to trace this to the person and prosecute.  Any ideas?  Does anyone know a good forensics person?
Question by:mstefani
    1 Comment
    LVL 25

    Accepted Solution

    a few things:

    1.  in the future never give ANYONE the administrator password.  If a consultant needs administrative rights to do their job, just create a special account for them that has administrative rights and then delete the account when they are done doing the work.  The fact that you have several people with the password to one account makes it VERY hard to prove that they did anything. rule of thumb, 1 account, 1 user, this way you always have a log of which PERSON actually did the malicious activities, not just a meaningless ACCOUNT name that is associated with many people.  If say 5 people have the password for "administrator" and you find that "administrator" did something malicious you really dont know who did it did you? you only know it was one of the 5 people you gave the password to.

    2.  do you log everything in your router/firewall? you should.  if you did then it will be pretty easy to track who did it  since you know the time of the attack,,, all you have to do is see which IP address came into your network on port 3389 (the default terminal services port) around the time the files were deleted.  

    3.  call your local police department ASAP!!!  they will more than likely put you in touch with the FBI.  The FBI/police will be able to track exacly who registred the IP that this was done with.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
    DECT technology has become a popular standard for wireless voice communication. DECT devices are not likely to be affected by other electronic devices and signals because they operate in a separate frequency-band.
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now