?
Solved

Old admin hacking my network possibly

Posted on 2006-04-18
17
Medium Priority
?
311 Views
Last Modified: 2010-04-11
I have a question for the experts out there. More like input needed.
The old admin at my company was boasting to fellow former employees this weekend how he can still get into our network at knows what people are making and accessed financials. He was very angry when I met him when I first started. They payed him to come in and tell me passwords and show me how the network is set up. He was fired and that is why I am here. When I started I reset all admin passwords and vpn passwords. I think that he may have been just talking but I can not take the threat lightly. I have just reset the telnet and enable passwords on all routers and Pix. I reset the VPN username and passwords to complex ones. I have also reset the wireless key. I am going to have all users reset passwords. What am I missing? VPN is set up through the Pix. Not user’s credentials but there is a vpn user set up on the PIX. I do not know what other action to take. There are no invalid users in the directory. Where would I look to see if someone was in besides the event log? I am going to make sure that success logon events are recorded as well as failures. The Pix only has 2 rules. One to allow all SMTP and HTTP traffic to our mail server for mail and OWA. Another to allow users to access outside sites. I want to make sure that I am not missing anything. Exactly what security evernt should I be logging to catch as much info as I need? Right now I have set up every success and Failure event to log but that may be excessive. This is a small network with only 30 people. Not to complex and running SBS 2003. The firewall is a Pix 506e.

Thanks all,
Mark

0
Comment
Question by:maderosia
  • 4
  • 2
  • 2
  • +7
17 Comments
 
LVL 9

Expert Comment

by:jabiii
ID: 16482134
You've already covered the basic's changing all the pwds etc.

Instead of killing yourself looking at new stuff. Just look at all the allowed connections for say the past 30 days. And verify them as valid or not. looking closely at usernames etc, that those users might be on vacation or on a sales trip etc.
0
 
LVL 11

Assisted Solution

by:rvthost
rvthost earned 400 total points
ID: 16483230
You're doing it right by changing all the passwords.  Any dial-in modems still floating around?
0
 
LVL 1

Expert Comment

by:jjparrott
ID: 16483301
You said you changed all domain admin passwords, right?  Did you also change the built in admin account password and the passwords of service accounts that maybe use privileged accounts?

I would also look at any accounts that may have been created before or after he left.  He could have left a back door account for future use.  I would start with the accounts that have vpn access and disable any that can't be verified.  

You could also watch the logon events to see who is logging on after hours that normally doesn't.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 15

Expert Comment

by:Juan Ocasio
ID: 16483447
Also check the administrators group in AD to see who is a member.  Since you only have 30 accounts I would make sure I checked each one, disable any that you do not recognize and are not built in.  Also check the built in groups, Domain Admins, Domain Guests, etc.  And more importantly check the permissions of the folders themselves to see who has access to the financial folders.  This will tell you a lot and put your mind at ease
0
 
LVL 15

Expert Comment

by:Juan Ocasio
ID: 16483451
PS the only security event you could look for is unsuccessful attempts.  The problem is if he has access, his attempts will be successfull...
0
 
LVL 1

Author Comment

by:maderosia
ID: 16483766
rvthost - good point that I did not think about but there are no modems for remote access.

jjparrott - I have changes all local password on all severs and local machines since I have taken over the network. I have also checked all member of the domain admin accounts and any built-in account and there are no members but myself.

jocasio - I will check the financial folder permissions.

Another colleuge also brought it to my attention to make sure that logmein or some other type of service is not running on any of the PC's that would allow for remote access. Especially the PC of the person who does the financials.

I was not logging successful attempts before today but as I mentuioned in my post I just changed it through group policy to log every success and failure attempt for every option. What do you experts log as far as this? What is recommended?

Tomorrow I plan on combing through the security event logs to see if there are successful logon attempts after hours. We are a 7:00 to 5:00 place so there should be none after 6:00 at most.

Thanks for the input so far,
Mark
0
 
LVL 4

Accepted Solution

by:
yurisk earned 1200 total points
ID: 16485378
Good point to ponder on - How far would he go to get even with
the employer ?
On one end are benign actions like rogue accounts/keeping the passwords that should have been invalidated already by what you've done so far. On the other, extreme, end are malicious/criminal actions like installing keyloggers, undetectable rootkits etc. that can  ,for example, send gathered information
through users' mailboxes or connecting via SSL to some web site - possibilities are unlimited. The really effective countermeasure against such warfare is one and only - reinstalling all OSs from verified media (just changing passwords would do nothing to it).

Once again it's just some thoughts to take into account.
"When everyone is actually out there to get you, paranoia is just good thinking"  -Woody Allen.

may be it's still worth to:
  - check login/startup/scheduled scripts;
  - startup programs ;
  - log websites machines are connecting to (there can be collateral trophies like someone downloading porno to buff up efficiency at work :);
  - monitor mail addresses to where the mail is being sent to (of course in case you could present your findings to management without being accused of 'spying' );
  - scan your network for open ports;
 
0
 
LVL 32

Assisted Solution

by:jhance
jhance earned 400 total points
ID: 16485396
Please don't discount the possibility that this person may have installed some sort of rootkit or other trojan-type application that may continue to give him access even after passwords have been changed.  Unfortunately finding something like this can be very difficult since they hide themselves.

You might start with RootKit Revealer and see if it picks up anything.  If you have any suspicion that something like this is in place you should rebuild your server(s) from the installation CDs.

If you locate any evidence that this person is still accessing your systems, I suggest you contact law enforcement.  In most places doing that is criminal.  It will be difficult for him to continue if he's in jail...
0
 

Expert Comment

by:a_hic
ID: 16489454
check if u haven't trojan or othe malicious programs that are sending iformation out side your network. thsi is if your old amdmin is an expert hacker.
0
 
LVL 9

Expert Comment

by:jabiii
ID: 16490260
check for unauthorized/known equipment too.
0
 
LVL 4

Expert Comment

by:uberpoop
ID: 16494059
so, let me get this right- he already bragged to other employees of having illegally accessing your network, and even looking at financial records...

Sounds to me like someone just committed a serious crime (I think it is Wire Fraud in the US), and bragged about it to several 'witnesses'.
Yes, it was a good idea to change the passwords, but step 2 should be to call the cops.

If he did it across state lines you get to call the feds.
0
 
LVL 1

Author Comment

by:maderosia
ID: 16497574
Thank you all for the posts thus far. I have reset all users passwords, wireless keys, admin, Router, PIX and VPN passwords. Everything that I can think of. I have not noticed nor can I find any unusual access. I can not find any programs like logme in or VNC. If it were my decision I would contact the authorities but the person is well liked at this place and they will not do that.

Now that I have enabled every security event my event log is filling up fast with normal events. What is the best practice to log events. I know the more I log the better but is that usual? I want to log enough to detects events and not worthless success data that is normal. I asked this in my post but have no answers about this part.


Mark
0
 
LVL 32

Expert Comment

by:jhance
ID: 16497866
I still think it's unwise to discount the possibility of a rootkit or rootkit-type application.  These can hide themselves from detection and logs since they operate at the Windows kernel level.

Did you try the excellent (and free) tool RootKit Revealer?  I strongly recommend you try it:

http://www.sysinternals.com/Utilities/RootkitRevealer.html
0
 
LVL 1

Author Comment

by:maderosia
ID: 16497999
I have downloaded this tool and I am using it. Sorry I did not reveal that. It is a good tool. I started it on my PC yesterday to get familiar and I am going to run it on the server.

Thanks,
Mark
0
 
LVL 2

Expert Comment

by:captjjt
ID: 16500579
You have taken some sound measures and, chances are, the ex admin is just talkin *%$@!

I am by no means a security expert but I am aware that most networks are like tootsie pops: hard and crunchy on the outside, with a nice chewy center. LOL

Did you bother to force password changes on all the end users? Chances are if he worked there for any length of time he knows some of their passwords. Especially execs, they seem to be the laziest and want to be above policy.

Use compex passwords, force frequent changes, at least every 60 days if not less.

Turn on audting on the financials and monitor account management events.

Get a good intrusion detection system www.snort.org or www.winsnort.com. snort is about the best and it's free.

Sleep tight.

Cheers.

0
 
LVL 2

Expert Comment

by:captjjt
ID: 16500641
Also, did you call the police? Many police departments have computer crimes divisions. There is nothing to press charges for but perhaps one of the nice detectives can give him a phone call and rattle his cage. Cops enjoy that kind of thing and the ex admin willbe scared out of his wits.
0
 
LVL 1

Author Comment

by:maderosia
ID: 16525142
Thank you all for the help. I awarded points based on extra information provided for me to check and secure. I have been monitoring events and nothig seems out of the ordinary. No excessive web usage or after hours logins. Every password imaginable has been changed at no delight to the users.

Thanks again.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Considering today’s continual security threats, which affect Information technology networks and systems worldwide, it is very important to practice basic security awareness. A normal system user can secure himself or herself by following these simp…
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question