[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 163
  • Last Modified:

trace windows 2000 terminal services token across internet to catch intruder

Hi, I had someone get into our windows 2000 server and delete some files.  This person did it via terminal services.  He(she) had a printer on their local computer that did not get automatically configured so it logged an error in the event log.  This gave me the person's computer name and date and time of the intrusion.  It also gave their computer a token from the terminal services licensing with exact date and time of issuance.

Here is some backgound:  The office administrator brought in an outside company to do a system audit and propose new hardware and software.  The office administrator gave the system administrator password to at least 2 of this outside company's employees.  The person who hacked into our system knew which folders to delete in our various applications, so they had a working knowledge of our system, but they did not wipe out everything.  I think they were mad because we did not go with their solution.  I was able to restore the missing files and change the administrator password.  Yes, it would have been better if I had changed the administrator password right away, but I did not know about it.

The company would like to trace this to the person and prosecute.  Any ideas?  Does anyone know a good forensics person?
1 Solution
a few things:

1.  in the future never give ANYONE the administrator password.  If a consultant needs administrative rights to do their job, just create a special account for them that has administrative rights and then delete the account when they are done doing the work.  The fact that you have several people with the password to one account makes it VERY hard to prove that they did anything. rule of thumb, 1 account, 1 user, this way you always have a log of which PERSON actually did the malicious activities, not just a meaningless ACCOUNT name that is associated with many people.  If say 5 people have the password for "administrator" and you find that "administrator" did something malicious you really dont know who did it did you? you only know it was one of the 5 people you gave the password to.

2.  do you log everything in your router/firewall? you should.  if you did then it will be pretty easy to track who did it  since you know the time of the attack,,, all you have to do is see which IP address came into your network on port 3389 (the default terminal services port) around the time the files were deleted.  

3.  call your local police department ASAP!!!  they will more than likely put you in touch with the FBI.  The FBI/police will be able to track exacly who registred the IP that this was done with.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now