Solved

opinion needed--were we hacked?

Posted on 2006-11-07
5
163 Views
Last Modified: 2013-12-04
Here's the situation...a few weeks ago, the backup mysteriously stopped running, no error messages or anything; it just stopped about 10% of the way through. Two weeks after that, the Windows server suddenly got infected with an assortment of nearly 200 viruses and trojans simultaneously. In the midst of that, a critical database disappeared...

We also saw a number of VNC logins, both around the time the backup stopped and the time of the virus release. Just a handful each time, not dozens or hundreds. And the IP addresses in the logs showed logins coming from sites around the world.

So...I can't think of any explanation other than that we were hacked by an insider. It seems like too many coincidences to be anything else. However, it's a pretty serious charge, and if there's any other likely or even reasonable explanation, I need to know.

One more bit of info that may be biasing us--or maybe not--is that a former employee made threats and would have been able to guess the password if he didn't already know it. He's the one who set up VNC on the server.


Thoughts, advice, insights? Your help is much appreciated!

Wendy
0
Comment
Question by:cioservices
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 39

Accepted Solution

by:
redseatechnologies earned 200 total points
ID: 17895160
The backups and the viruses could be a mistake - disappearing databases is what is making me wonder.

There are known vulnerabilities in RealVNC, depending on the version - and assuming you have RealVNC as you VNC program.

The fact that someone threatened to do it, and it shows someone log in around that time - i would imagine it is almost certain a hack

Call the cops!

-red
0
 
LVL 9

Assisted Solution

by:trenes
trenes earned 150 total points
ID: 17895921
Hi redseatechnologies,

Yup this is an issue for the FBI.
If you want to have a VNC server make sure it can only accept localhost connections.
Then use eg. SSL explorer www.3sp.com to create a tunnel from the remote client to the server.


Cheers!
0
 
LVL 4

Assisted Solution

by:StonewallJacoby
StonewallJacoby earned 150 total points
ID: 17903695
Yeah, you gotta change passwords when someone leaves for ANY reason.

I can confirm there are vulns in some versions of VNC, but you don't need a vuln if you know the password.

Proper forensic treatment of the affected machines is important if you want to prosecute.  It's probably too late for that.

I have never had to terminate a client relationship, but making THEM change MY passwords is on my list of things to do should it happen.
0
 

Author Comment

by:cioservices
ID: 17919623
Thanks for the info...we pulled in a forensic expert from OnTrack and he confirmed our suspicions. Getting hard evidence is another thing entirely--but this definitely shows the signs of a deliberate, insider hack.

I really appreciate your thoughts! This is a huge impact for our client, and given what's at stake I didn't want to be wrong with our advise.

Normally we do advise to change passwords--this was an unusual situation where the guy stayed on to help for a while in a consulting role, but recently some things happened to make him disgruntled and we weren't told. This was so preventable!!!

Thanks again...
Wendy
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 17920409
Best of luck with it Wendy!

Thanks

-red
0

Featured Post

What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question