We recently had someone remotely login to our server and download some movies. How can we learn who it was?

The person was able to login with the administrator's Username and password (unless they were able to bypass this step somehow).  We're using Win2K SP4.  I'm assuming the person intends now to come in to our building, login to our network, and transfer the files over to their laptop or PC.  How can we learn who it is/was?
JayMulkeyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JayMulkeyAuthor Commented:
PS:  the movies were being downloaded to the HD on the Server.
0
einsteinjr79Commented:
sniff the packets in the network using a sniffer program.
0
NacMacFeegleCommented:
change the administrator username and password then increase security logins for failed login atttempts to see if they do it again (cant remember the ref but this is on the MS site). Do you know what time of day / day of the week this happened (you can then search against building access records to see who was in). Is your server physically secure? Sniffing network packets will only tell you whats happening now as opposed to previous traffic. Do you have CCTV in the building?
~
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

TheCleanerCommented:
I'll take a shot and say your server was hacked, and is now a bastion host for file sharing.

Run hijack this, and adaware on it, along with a virus scan.

Also, check and see if FTP ports are listening, or file sharing ports are listening by doing a netstat -a -n from a command prompt.
0
TheCleanerCommented:
LOL, well I said bastion host above, but I simply meant host...trying to type in 2 EE threads at once isn't easy...
0
NacMacFeegleCommented:
oops d'oh! should have asked if your network is accessible from the outside world. If so you need to check ALL your servers - if someone has hacked one of them with domain admin password then you need to audit and scan all boxes for virii, trojans etc. Also then check to see if all servers are fully patched. What was the function of the server which was hacked? (Did it run IIS / SQL / etc?) and is there internet access to your LAN?
~
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mandude0Commented:
I agree with above statement on changing the user/pass for admin and the ad/spyware/virus checks. Above that, do a network audit to see who all is the the administrators group. That might help to narrow down any possible insiders. I would also look into what services are running on the server and set to manual or disabled for any services not needed (Telnet, FTP, IIS or what ever function the server doesn't need).

Track off hours work. Look for people coming in early and logging in or staying late. These are just suggestions. Without more info about the situation it is hard to say for sure what would need to be done.
0
r-kCommented:
I also agree with those who said that this is most likely some outside hacker who is using this to store bootleg movies, and not anyone of your users.

In addition to what has been suggested already, download and run run RootkitRevealer from:

 http://www.sysinternals.com/Utilities/RootkitRevealer.html

and save the log if it finds anything suspect. You may need it later.
0
JayMulkeyAuthor Commented:
Thanks for all the suggestions.  I think we will move to a more secure login process as well as turn off services our server(s) don't need to have running.  We believe the user intended to come into our building at a later date and transfer the files from the server (shared with all authorized users) to his/her laptop.

Is my understanding correct:  we (the administrators) could login using our personal username and password?  Or would it be better to change the administrator login UN and PW?

We do have CCTV but our employees come and go at all hours.  Only a stranger would be noticed.

It just occured to me...I can watch for the dissapearence of the files and see who was logged on at that time, yes?  I expect it to happen soon.

Stay tuned.  Thanks again.
0
r-kCommented:
You can set up file-level auditing:

 http://www.setup32.com/network-administration/windows-2000-server/windows-2000-server-auditing.php

I still think it's unlikely to be one of your users, though I suppose anything is possible.
0
mandude0Commented:
Yes, you can set up users in the administrators group. Changing the name of Administrator would be a good idea as it would make the person have to guess the username instead of just typing adminstrator. Keeping individual users in the administrators groupd can help you keep the logged in users separated. You don't want  guess which of the 5 "administrator" sessions was accessing which files and when.

It's possible that you might have just been used as a temp repsitory for someones illegal files shares. I wouldn't doubt if there were mirrored servers in other locations sharing files to minimize bandwidth usage and prolonging the time when the hack will be null for those leeching their files.
0
TheCleanerCommented:
=======
It just occured to me...I can watch for the dissapearence of the files and see who was logged on at that time, yes?  I expect it to happen soon.
========


The person is highly unlikely to come to the building and get the data.  If they can access it remotely the first time to download the movies to your computer then they can access them again remotely to grab the files again.

Did you check my post completely?  You really need to check and see what ports are being listened on at this point, and check and see if any strange processes are running on the machine.

I'm still betting you are being used as a host for file sharing.
0
GCWPITSolutionsCommented:
Recommended practise is to disable the admin account and create new administrative accounts for specific tasks (eg backup users, User admin) also strong passwords should be enabled, and the less intuitive the admin user names are the better (ie dont call your backup admin account Backup Admin)

You can give administrative rights to all admin users standard logon accounts but this is not recomemnded and they should have specific admin accounts to be used only when they are performing administrative tasks. (this help minimise the potentialy damaging mistakes being made by users with admin access)

That should prevent anyone obtaining admin access to your network who you do not wish to( as much as possible)
0
TheCleanerCommented:
So what happened?
0
JayMulkeyAuthor Commented:
We took several of the suggestions: changed the way administrators access the servers; log activities on certain servers; etc.   We moved the movies off the server to a safe location (in case they belonged to one of the users here in the building who did not know this was not okay to do).

No one has come forward asking about them.

[am I correct in my thinking that it had to be someone who would later come into the building to transfer the files to their laptop or other storage device?  Otherwise, what would be the benefit in TIME to downloading them to a server and then downloading them from the server - over the Internet - to their home PC?]
0
mandude0Commented:
I think it might have been someone that was just using your server as a temp storage device and retrieving them later. Where there any P2P apps installed (Torrent client, Limewire, eMule. eDonkey, etc...)? They may have been using your abndwidth to grab the movies and build "credit" with a transfer server and just downloading the movies when they finished. I have read about people doing things like that to keep their own bandwidth from being eaten up by constant large file transfers.

Just a guess.
0
TheCleanerCommented:
like mandude0 said, that was my original thought...it's pretty common.
0
r-kCommented:
I'll make it unanimous - it's someone outside your network using your space/bandwidth..
0
JayMulkeyAuthor Commented:
Yes, there was some kind of bit-torrent program running.

What are the chances this could have been done by someone who did not know the administrator's password?  
0
mandude0Commented:
The chances are good that someone, maybe outside your company, created their own administrator account or sniffed your network to get it. Do you run wireless in your company? Even using WEP someone might have parked outside and just tossed packets at it until they got enough information to build a good hash file and crack the administrator password. If they were able to access your wireless router, assuming you might have one, they could have gotten internal IPs and just attempted to connect to each one listed in the router until they found one they could get into with enough space open to store what they wanted.
0
JayMulkeyAuthor Commented:
Sounds plausable.  I know there are tons of books out there on Securing Your Network ... could you recommend one or two (not too technical)?
0
mandude0Commented:
Maybe someone else could recommend some books. I learned the hard, fairly cheap, way using google as situations merited ;o) I would certainly incorporate a good firewall. If you know anyone you can trust (Assuming you aren't a Unix type person) I would recommend a solid computer hardware setup running OpenBSD with a couple of NICs as a firewall only box. Works as well or better than $15000 enterprise level PIX for around $1000 to $1500 (Good hardware cost) which is great if you are on a limited budget and want/need solid protection. Nothing is 100% but every little bit helps.

You may also wan't to set up domain policies regarding software installs.
0
TheCleanerCommented:
Check out:

Hardening Windows Infrastructure

and

Hardening Network Infrastructure

both by Osborne / McGraw Hill publishing
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.