[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

how can I tell if my SBS 2003 and network have been owned by a hacker?

Posted on 2006-10-30
4
Medium Priority
?
232 Views
Last Modified: 2010-04-19
I looked at my security logs this morning and found many suspicious events within the last 24 hours, including:

- my logon used while I was asleep
- there are more than 600 ANONYMOUS LOGON domain NT AUTHORITY events
- there are more than 300 logons from one of the machines on my network

I suspect my network has been hacked. Can some kind expert please help with these questions:
- are there any legitimate reasons why some process might logon on my behalf?
- why do machines logon? is there any possible legitimate reason a machine would logon so many times?
- are there other things I should investigate to confirm a network intrusion / compromise?
- is there a checklist somewhere of how to recover a compromised network?

Thanks.
0
Comment
Question by:bfitler
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17837790
Although you did not provide the Event ID's for these, which would help to explain them a bit better, I can give you a basic overview:

There are legitimate reasons why a process would logon under your account... if you used your account in the configuration of a particular program or service.  Often, people wrongly configure SQL server with their user account as the owner, or for the maintenance plan.  There might be a scheduled task that was created with your credentials.  Filter the security event log for ONLY these logons and see if there is a pattern, such as it being the same time every night, or once a week at the same time, etc.

Machines log on any time that machine needs to access any resource on the server.  I would be suspicious of a machine that has 300 logons in a 24-hour period only if it is significantly more than you have on any other machine, and only if there are a number of logons after-hours.  However, if a user does not log out of their computer, that machine would continue to check with the server every 15 minutes or so just to update it's Kerberos Security setting.  So, check to make sure that the user is logging out properly, and take a quick look to make sure that there isn't anything installed on the computer that shouldn't be there.

Anonymous Logons are quite common, are these Event 684 for Account Management?  Because 6very 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them.  If you had 3 or 4 members of any of these groups, you would easily see hundreds of events.   If you're seeing a rash of Event 538/540 Logon/Logoff then is there a specific machine name listed?  Because any machine that you have connected to your network which is not part of the domain will generate this event.

Things to investigate?
You can always check for a rootkit, which is a hacker program that runs below the radar (outside of the Windows OS) which is often used to take advantage of your storage space by creating a rogue FTP server.  Check for that with this: http://www.sysinternals.com/Utilities/RootkitRevealer.html

For a complete overview of what you need to know and do about securing your SBS Network, please see http://sbsurl.com/secnet

Jeff
TechSoEasy
0
 

Author Comment

by:bfitler
ID: 17843626
Great answer, Jeff - you've set my mind about 80% at ease. Some follow-ups:

- I looked closer at the times when my login was used. During one period, 19 events were recorded within 30 seconds (event IDs 538, 540, 576) on intervals ranging from 1h33m to 1h58m. I noticed a smaller number of correlated events in the security log on another computer. How can I track down the responsible application?

- Many of the ANONYMOUS logons are from machines on the network not joined to the domain, as you predicted. One of the computers in the domain, however, also generates ANONYMOUS logons (Event ID 540, Logon Type:3, Logon Process: NtLmSsp, Authentication Package: NTLM). How can I validate such events?

\bill
0
 

Author Comment

by:bfitler
ID: 17843778
Let me clarify first follow-up: the responsible process (identified in events 540) is Kerberos - but I can't tell whether I'm logging into the computer (presumably causing Kerberos to login as a result), or Kerberos is logging in for some other reason.
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 2000 total points
ID: 17845102
Kerberos is not something that would log in, it's a security protocol (http://en.wikipedia.org/wiki/Kerberos_(protocol)).

If you are getting Kerberos Type 3 errors, then that workstation either is not synchronizing it's clock with the server correctly (since Kerberos is based on a ticket system which requires time synchronization), or there is software installed on that workstation that's causing it.  So, I'd check the time sync first.

How to configure an authoritative time service in Windows 2003: http://support.microsoft.com/kb/816042
How to synchronize the time with the Windows Time service in Windows XP:  http://support.microsoft.com/kb/307897

Then if that doesn't do the trick, compare what is installed on that workstation with one that isn't causing the errors... that's about the easiest way to find the culprit.

As for finding the source for your logins, you might want to use something like this:
http://manageengine.adventnet.com/products/opmanager/download.html

The free version allows monitoring and management of up to 20 devices, usually enough for an SBS network.  I like their products since they work, and they are generally free for SBS-sized environments.

Jeff
TechSoEasy
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This guide is intended for migrating Windows 2003 Standard with Exchange 2003 to Windows Small Business Server 2008. You will need the following: Exchange Best Practice Analyzer: http://www.microsoft.com/downloads/details.aspx?FamilyID=DBAB201F-…
Introduction At 19:33 (UST) on Tuesday 21st September the long awaited email arrived with the subject title of “ANNOUNCING THE AVAILABILITY OF WINDOWS SBS 7 PREVIEW”.  It was time to drop whatever I was doing and dedicate as much bandwidth as possi…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question