Solved

opinion needed--were we hacked?

Posted on 2006-11-07
5
162 Views
Last Modified: 2013-12-04
Here's the situation...a few weeks ago, the backup mysteriously stopped running, no error messages or anything; it just stopped about 10% of the way through. Two weeks after that, the Windows server suddenly got infected with an assortment of nearly 200 viruses and trojans simultaneously. In the midst of that, a critical database disappeared...

We also saw a number of VNC logins, both around the time the backup stopped and the time of the virus release. Just a handful each time, not dozens or hundreds. And the IP addresses in the logs showed logins coming from sites around the world.

So...I can't think of any explanation other than that we were hacked by an insider. It seems like too many coincidences to be anything else. However, it's a pretty serious charge, and if there's any other likely or even reasonable explanation, I need to know.

One more bit of info that may be biasing us--or maybe not--is that a former employee made threats and would have been able to guess the password if he didn't already know it. He's the one who set up VNC on the server.


Thoughts, advice, insights? Your help is much appreciated!

Wendy
0
Comment
Question by:cioservices
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 39

Accepted Solution

by:
redseatechnologies earned 200 total points
ID: 17895160
The backups and the viruses could be a mistake - disappearing databases is what is making me wonder.

There are known vulnerabilities in RealVNC, depending on the version - and assuming you have RealVNC as you VNC program.

The fact that someone threatened to do it, and it shows someone log in around that time - i would imagine it is almost certain a hack

Call the cops!

-red
0
 
LVL 9

Assisted Solution

by:trenes
trenes earned 150 total points
ID: 17895921
Hi redseatechnologies,

Yup this is an issue for the FBI.
If you want to have a VNC server make sure it can only accept localhost connections.
Then use eg. SSL explorer www.3sp.com to create a tunnel from the remote client to the server.


Cheers!
0
 
LVL 4

Assisted Solution

by:StonewallJacoby
StonewallJacoby earned 150 total points
ID: 17903695
Yeah, you gotta change passwords when someone leaves for ANY reason.

I can confirm there are vulns in some versions of VNC, but you don't need a vuln if you know the password.

Proper forensic treatment of the affected machines is important if you want to prosecute.  It's probably too late for that.

I have never had to terminate a client relationship, but making THEM change MY passwords is on my list of things to do should it happen.
0
 

Author Comment

by:cioservices
ID: 17919623
Thanks for the info...we pulled in a forensic expert from OnTrack and he confirmed our suspicions. Getting hard evidence is another thing entirely--but this definitely shows the signs of a deliberate, insider hack.

I really appreciate your thoughts! This is a huge impact for our client, and given what's at stake I didn't want to be wrong with our advise.

Normally we do advise to change passwords--this was an unusual situation where the guy stayed on to help for a while in a consulting role, but recently some things happened to make him disgruntled and we weren't told. This was so preventable!!!

Thanks again...
Wendy
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 17920409
Best of luck with it Wendy!

Thanks

-red
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question