Solved

opinion needed--were we hacked?

Posted on 2006-11-07
5
161 Views
Last Modified: 2013-12-04
Here's the situation...a few weeks ago, the backup mysteriously stopped running, no error messages or anything; it just stopped about 10% of the way through. Two weeks after that, the Windows server suddenly got infected with an assortment of nearly 200 viruses and trojans simultaneously. In the midst of that, a critical database disappeared...

We also saw a number of VNC logins, both around the time the backup stopped and the time of the virus release. Just a handful each time, not dozens or hundreds. And the IP addresses in the logs showed logins coming from sites around the world.

So...I can't think of any explanation other than that we were hacked by an insider. It seems like too many coincidences to be anything else. However, it's a pretty serious charge, and if there's any other likely or even reasonable explanation, I need to know.

One more bit of info that may be biasing us--or maybe not--is that a former employee made threats and would have been able to guess the password if he didn't already know it. He's the one who set up VNC on the server.


Thoughts, advice, insights? Your help is much appreciated!

Wendy
0
Comment
Question by:cioservices
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 39

Accepted Solution

by:
redseatechnologies earned 200 total points
ID: 17895160
The backups and the viruses could be a mistake - disappearing databases is what is making me wonder.

There are known vulnerabilities in RealVNC, depending on the version - and assuming you have RealVNC as you VNC program.

The fact that someone threatened to do it, and it shows someone log in around that time - i would imagine it is almost certain a hack

Call the cops!

-red
0
 
LVL 9

Assisted Solution

by:trenes
trenes earned 150 total points
ID: 17895921
Hi redseatechnologies,

Yup this is an issue for the FBI.
If you want to have a VNC server make sure it can only accept localhost connections.
Then use eg. SSL explorer www.3sp.com to create a tunnel from the remote client to the server.


Cheers!
0
 
LVL 4

Assisted Solution

by:StonewallJacoby
StonewallJacoby earned 150 total points
ID: 17903695
Yeah, you gotta change passwords when someone leaves for ANY reason.

I can confirm there are vulns in some versions of VNC, but you don't need a vuln if you know the password.

Proper forensic treatment of the affected machines is important if you want to prosecute.  It's probably too late for that.

I have never had to terminate a client relationship, but making THEM change MY passwords is on my list of things to do should it happen.
0
 

Author Comment

by:cioservices
ID: 17919623
Thanks for the info...we pulled in a forensic expert from OnTrack and he confirmed our suspicions. Getting hard evidence is another thing entirely--but this definitely shows the signs of a deliberate, insider hack.

I really appreciate your thoughts! This is a huge impact for our client, and given what's at stake I didn't want to be wrong with our advise.

Normally we do advise to change passwords--this was an unusual situation where the guy stayed on to help for a while in a consulting role, but recently some things happened to make him disgruntled and we weren't told. This was so preventable!!!

Thanks again...
Wendy
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 17920409
Best of luck with it Wendy!

Thanks

-red
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question