?
Solved

We recently had someone remotely login to our server and download some movies.  How can we learn who it was?

Posted on 2006-03-22
23
Medium Priority
?
269 Views
Last Modified: 2013-12-04
The person was able to login with the administrator's Username and password (unless they were able to bypass this step somehow).  We're using Win2K SP4.  I'm assuming the person intends now to come in to our building, login to our network, and transfer the files over to their laptop or PC.  How can we learn who it is/was?
0
Comment
Question by:JayMulkey
  • 6
  • 5
  • 5
  • +4
23 Comments
 

Author Comment

by:JayMulkey
ID: 16264359
PS:  the movies were being downloaded to the HD on the Server.
0
 
LVL 5

Expert Comment

by:einsteinjr79
ID: 16265815
sniff the packets in the network using a sniffer program.
0
 
LVL 4

Expert Comment

by:NacMacFeegle
ID: 16267390
change the administrator username and password then increase security logins for failed login atttempts to see if they do it again (cant remember the ref but this is on the MS site). Do you know what time of day / day of the week this happened (you can then search against building access records to see who was in). Is your server physically secure? Sniffing network packets will only tell you whats happening now as opposed to previous traffic. Do you have CCTV in the building?
~
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 23

Expert Comment

by:TheCleaner
ID: 16269317
I'll take a shot and say your server was hacked, and is now a bastion host for file sharing.

Run hijack this, and adaware on it, along with a virus scan.

Also, check and see if FTP ports are listening, or file sharing ports are listening by doing a netstat -a -n from a command prompt.
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 16269337
LOL, well I said bastion host above, but I simply meant host...trying to type in 2 EE threads at once isn't easy...
0
 
LVL 4

Accepted Solution

by:
NacMacFeegle earned 400 total points
ID: 16271025
oops d'oh! should have asked if your network is accessible from the outside world. If so you need to check ALL your servers - if someone has hacked one of them with domain admin password then you need to audit and scan all boxes for virii, trojans etc. Also then check to see if all servers are fully patched. What was the function of the server which was hacked? (Did it run IIS / SQL / etc?) and is there internet access to your LAN?
~
0
 
LVL 3

Assisted Solution

by:mandude0
mandude0 earned 800 total points
ID: 16272902
I agree with above statement on changing the user/pass for admin and the ad/spyware/virus checks. Above that, do a network audit to see who all is the the administrators group. That might help to narrow down any possible insiders. I would also look into what services are running on the server and set to manual or disabled for any services not needed (Telnet, FTP, IIS or what ever function the server doesn't need).

Track off hours work. Look for people coming in early and logging in or staying late. These are just suggestions. Without more info about the situation it is hard to say for sure what would need to be done.
0
 
LVL 32

Expert Comment

by:r-k
ID: 16277900
I also agree with those who said that this is most likely some outside hacker who is using this to store bootleg movies, and not anyone of your users.

In addition to what has been suggested already, download and run run RootkitRevealer from:

 http://www.sysinternals.com/Utilities/RootkitRevealer.html

and save the log if it finds anything suspect. You may need it later.
0
 

Author Comment

by:JayMulkey
ID: 16280748
Thanks for all the suggestions.  I think we will move to a more secure login process as well as turn off services our server(s) don't need to have running.  We believe the user intended to come into our building at a later date and transfer the files from the server (shared with all authorized users) to his/her laptop.

Is my understanding correct:  we (the administrators) could login using our personal username and password?  Or would it be better to change the administrator login UN and PW?

We do have CCTV but our employees come and go at all hours.  Only a stranger would be noticed.

It just occured to me...I can watch for the dissapearence of the files and see who was logged on at that time, yes?  I expect it to happen soon.

Stay tuned.  Thanks again.
0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 400 total points
ID: 16280818
You can set up file-level auditing:

 http://www.setup32.com/network-administration/windows-2000-server/windows-2000-server-auditing.php

I still think it's unlikely to be one of your users, though I suppose anything is possible.
0
 
LVL 3

Assisted Solution

by:mandude0
mandude0 earned 800 total points
ID: 16280874
Yes, you can set up users in the administrators group. Changing the name of Administrator would be a good idea as it would make the person have to guess the username instead of just typing adminstrator. Keeping individual users in the administrators groupd can help you keep the logged in users separated. You don't want  guess which of the 5 "administrator" sessions was accessing which files and when.

It's possible that you might have just been used as a temp repsitory for someones illegal files shares. I wouldn't doubt if there were mirrored servers in other locations sharing files to minimize bandwidth usage and prolonging the time when the hack will be null for those leeching their files.
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 16281799
=======
It just occured to me...I can watch for the dissapearence of the files and see who was logged on at that time, yes?  I expect it to happen soon.
========


The person is highly unlikely to come to the building and get the data.  If they can access it remotely the first time to download the movies to your computer then they can access them again remotely to grab the files again.

Did you check my post completely?  You really need to check and see what ports are being listened on at this point, and check and see if any strange processes are running on the machine.

I'm still betting you are being used as a host for file sharing.
0
 
LVL 1

Assisted Solution

by:GCWPITSolutions
GCWPITSolutions earned 400 total points
ID: 16340714
Recommended practise is to disable the admin account and create new administrative accounts for specific tasks (eg backup users, User admin) also strong passwords should be enabled, and the less intuitive the admin user names are the better (ie dont call your backup admin account Backup Admin)

You can give administrative rights to all admin users standard logon accounts but this is not recomemnded and they should have specific admin accounts to be used only when they are performing administrative tasks. (this help minimise the potentialy damaging mistakes being made by users with admin access)

That should prevent anyone obtaining admin access to your network who you do not wish to( as much as possible)
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 16500690
So what happened?
0
 

Author Comment

by:JayMulkey
ID: 16501215
We took several of the suggestions: changed the way administrators access the servers; log activities on certain servers; etc.   We moved the movies off the server to a safe location (in case they belonged to one of the users here in the building who did not know this was not okay to do).

No one has come forward asking about them.

[am I correct in my thinking that it had to be someone who would later come into the building to transfer the files to their laptop or other storage device?  Otherwise, what would be the benefit in TIME to downloading them to a server and then downloading them from the server - over the Internet - to their home PC?]
0
 
LVL 3

Expert Comment

by:mandude0
ID: 16501301
I think it might have been someone that was just using your server as a temp storage device and retrieving them later. Where there any P2P apps installed (Torrent client, Limewire, eMule. eDonkey, etc...)? They may have been using your abndwidth to grab the movies and build "credit" with a transfer server and just downloading the movies when they finished. I have read about people doing things like that to keep their own bandwidth from being eaten up by constant large file transfers.

Just a guess.
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 16501319
like mandude0 said, that was my original thought...it's pretty common.
0
 
LVL 32

Expert Comment

by:r-k
ID: 16501492
I'll make it unanimous - it's someone outside your network using your space/bandwidth..
0
 

Author Comment

by:JayMulkey
ID: 16501523
Yes, there was some kind of bit-torrent program running.

What are the chances this could have been done by someone who did not know the administrator's password?  
0
 
LVL 3

Expert Comment

by:mandude0
ID: 16501568
The chances are good that someone, maybe outside your company, created their own administrator account or sniffed your network to get it. Do you run wireless in your company? Even using WEP someone might have parked outside and just tossed packets at it until they got enough information to build a good hash file and crack the administrator password. If they were able to access your wireless router, assuming you might have one, they could have gotten internal IPs and just attempted to connect to each one listed in the router until they found one they could get into with enough space open to store what they wanted.
0
 

Author Comment

by:JayMulkey
ID: 16501687
Sounds plausable.  I know there are tons of books out there on Securing Your Network ... could you recommend one or two (not too technical)?
0
 
LVL 3

Expert Comment

by:mandude0
ID: 16501943
Maybe someone else could recommend some books. I learned the hard, fairly cheap, way using google as situations merited ;o) I would certainly incorporate a good firewall. If you know anyone you can trust (Assuming you aren't a Unix type person) I would recommend a solid computer hardware setup running OpenBSD with a couple of NICs as a firewall only box. Works as well or better than $15000 enterprise level PIX for around $1000 to $1500 (Good hardware cost) which is great if you are on a limited budget and want/need solid protection. Nothing is 100% but every little bit helps.

You may also wan't to set up domain policies regarding software installs.
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 16503045
Check out:

Hardening Windows Infrastructure

and

Hardening Network Infrastructure

both by Osborne / McGraw Hill publishing
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
OfficeMate Freezes on login or does not load after login credentials are input.
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question