Old admin hacking my network possibly

I have a question for the experts out there. More like input needed.
The old admin at my company was boasting to fellow former employees this weekend how he can still get into our network at knows what people are making and accessed financials. He was very angry when I met him when I first started. They payed him to come in and tell me passwords and show me how the network is set up. He was fired and that is why I am here. When I started I reset all admin passwords and vpn passwords. I think that he may have been just talking but I can not take the threat lightly. I have just reset the telnet and enable passwords on all routers and Pix. I reset the VPN username and passwords to complex ones. I have also reset the wireless key. I am going to have all users reset passwords. What am I missing? VPN is set up through the Pix. Not user’s credentials but there is a vpn user set up on the PIX. I do not know what other action to take. There are no invalid users in the directory. Where would I look to see if someone was in besides the event log? I am going to make sure that success logon events are recorded as well as failures. The Pix only has 2 rules. One to allow all SMTP and HTTP traffic to our mail server for mail and OWA. Another to allow users to access outside sites. I want to make sure that I am not missing anything. Exactly what security evernt should I be logging to catch as much info as I need? Right now I have set up every success and Failure event to log but that may be excessive. This is a small network with only 30 people. Not to complex and running SBS 2003. The firewall is a Pix 506e.

Thanks all,

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You've already covered the basic's changing all the pwds etc.

Instead of killing yourself looking at new stuff. Just look at all the allowed connections for say the past 30 days. And verify them as valid or not. looking closely at usernames etc, that those users might be on vacation or on a sales trip etc.
You're doing it right by changing all the passwords.  Any dial-in modems still floating around?
You said you changed all domain admin passwords, right?  Did you also change the built in admin account password and the passwords of service accounts that maybe use privileged accounts?

I would also look at any accounts that may have been created before or after he left.  He could have left a back door account for future use.  I would start with the accounts that have vpn access and disable any that can't be verified.  

You could also watch the logon events to see who is logging on after hours that normally doesn't.
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

Juan OcasioApplication DeveloperCommented:
Also check the administrators group in AD to see who is a member.  Since you only have 30 accounts I would make sure I checked each one, disable any that you do not recognize and are not built in.  Also check the built in groups, Domain Admins, Domain Guests, etc.  And more importantly check the permissions of the folders themselves to see who has access to the financial folders.  This will tell you a lot and put your mind at ease
Juan OcasioApplication DeveloperCommented:
PS the only security event you could look for is unsuccessful attempts.  The problem is if he has access, his attempts will be successfull...
maderosiaAuthor Commented:
rvthost - good point that I did not think about but there are no modems for remote access.

jjparrott - I have changes all local password on all severs and local machines since I have taken over the network. I have also checked all member of the domain admin accounts and any built-in account and there are no members but myself.

jocasio - I will check the financial folder permissions.

Another colleuge also brought it to my attention to make sure that logmein or some other type of service is not running on any of the PC's that would allow for remote access. Especially the PC of the person who does the financials.

I was not logging successful attempts before today but as I mentuioned in my post I just changed it through group policy to log every success and failure attempt for every option. What do you experts log as far as this? What is recommended?

Tomorrow I plan on combing through the security event logs to see if there are successful logon attempts after hours. We are a 7:00 to 5:00 place so there should be none after 6:00 at most.

Thanks for the input so far,
Good point to ponder on - How far would he go to get even with
the employer ?
On one end are benign actions like rogue accounts/keeping the passwords that should have been invalidated already by what you've done so far. On the other, extreme, end are malicious/criminal actions like installing keyloggers, undetectable rootkits etc. that can  ,for example, send gathered information
through users' mailboxes or connecting via SSL to some web site - possibilities are unlimited. The really effective countermeasure against such warfare is one and only - reinstalling all OSs from verified media (just changing passwords would do nothing to it).

Once again it's just some thoughts to take into account.
"When everyone is actually out there to get you, paranoia is just good thinking"  -Woody Allen.

may be it's still worth to:
  - check login/startup/scheduled scripts;
  - startup programs ;
  - log websites machines are connecting to (there can be collateral trophies like someone downloading porno to buff up efficiency at work :);
  - monitor mail addresses to where the mail is being sent to (of course in case you could present your findings to management without being accused of 'spying' );
  - scan your network for open ports;

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Please don't discount the possibility that this person may have installed some sort of rootkit or other trojan-type application that may continue to give him access even after passwords have been changed.  Unfortunately finding something like this can be very difficult since they hide themselves.

You might start with RootKit Revealer and see if it picks up anything.  If you have any suspicion that something like this is in place you should rebuild your server(s) from the installation CDs.

If you locate any evidence that this person is still accessing your systems, I suggest you contact law enforcement.  In most places doing that is criminal.  It will be difficult for him to continue if he's in jail...
check if u haven't trojan or othe malicious programs that are sending iformation out side your network. thsi is if your old amdmin is an expert hacker.
check for unauthorized/known equipment too.
so, let me get this right- he already bragged to other employees of having illegally accessing your network, and even looking at financial records...

Sounds to me like someone just committed a serious crime (I think it is Wire Fraud in the US), and bragged about it to several 'witnesses'.
Yes, it was a good idea to change the passwords, but step 2 should be to call the cops.

If he did it across state lines you get to call the feds.
maderosiaAuthor Commented:
Thank you all for the posts thus far. I have reset all users passwords, wireless keys, admin, Router, PIX and VPN passwords. Everything that I can think of. I have not noticed nor can I find any unusual access. I can not find any programs like logme in or VNC. If it were my decision I would contact the authorities but the person is well liked at this place and they will not do that.

Now that I have enabled every security event my event log is filling up fast with normal events. What is the best practice to log events. I know the more I log the better but is that usual? I want to log enough to detects events and not worthless success data that is normal. I asked this in my post but have no answers about this part.

I still think it's unwise to discount the possibility of a rootkit or rootkit-type application.  These can hide themselves from detection and logs since they operate at the Windows kernel level.

Did you try the excellent (and free) tool RootKit Revealer?  I strongly recommend you try it:

maderosiaAuthor Commented:
I have downloaded this tool and I am using it. Sorry I did not reveal that. It is a good tool. I started it on my PC yesterday to get familiar and I am going to run it on the server.

You have taken some sound measures and, chances are, the ex admin is just talkin *%$@!

I am by no means a security expert but I am aware that most networks are like tootsie pops: hard and crunchy on the outside, with a nice chewy center. LOL

Did you bother to force password changes on all the end users? Chances are if he worked there for any length of time he knows some of their passwords. Especially execs, they seem to be the laziest and want to be above policy.

Use compex passwords, force frequent changes, at least every 60 days if not less.

Turn on audting on the financials and monitor account management events.

Get a good intrusion detection system www.snort.org or www.winsnort.com. snort is about the best and it's free.

Sleep tight.


Also, did you call the police? Many police departments have computer crimes divisions. There is nothing to press charges for but perhaps one of the nice detectives can give him a phone call and rattle his cage. Cops enjoy that kind of thing and the ex admin willbe scared out of his wits.
maderosiaAuthor Commented:
Thank you all for the help. I awarded points based on extra information provided for me to check and secure. I have been monitoring events and nothig seems out of the ordinary. No excessive web usage or after hours logins. Every password imaginable has been changed at no delight to the users.

Thanks again.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.