We help IT Professionals succeed at work.

opinion needed--were we hacked?

cioservices
cioservices asked
on
Medium Priority
177 Views
Last Modified: 2013-12-04
Here's the situation...a few weeks ago, the backup mysteriously stopped running, no error messages or anything; it just stopped about 10% of the way through. Two weeks after that, the Windows server suddenly got infected with an assortment of nearly 200 viruses and trojans simultaneously. In the midst of that, a critical database disappeared...

We also saw a number of VNC logins, both around the time the backup stopped and the time of the virus release. Just a handful each time, not dozens or hundreds. And the IP addresses in the logs showed logins coming from sites around the world.

So...I can't think of any explanation other than that we were hacked by an insider. It seems like too many coincidences to be anything else. However, it's a pretty serious charge, and if there's any other likely or even reasonable explanation, I need to know.

One more bit of info that may be biasing us--or maybe not--is that a former employee made threats and would have been able to guess the password if he didn't already know it. He's the one who set up VNC on the server.


Thoughts, advice, insights? Your help is much appreciated!

Wendy
Comment
Watch Question

CERTIFIED EXPERT
Commented:
The backups and the viruses could be a mistake - disappearing databases is what is making me wonder.

There are known vulnerabilities in RealVNC, depending on the version - and assuming you have RealVNC as you VNC program.

The fact that someone threatened to do it, and it shows someone log in around that time - i would imagine it is almost certain a hack

Call the cops!

-red

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
CERTIFIED EXPERT
Commented:
Hi redseatechnologies,

Yup this is an issue for the FBI.
If you want to have a VNC server make sure it can only accept localhost connections.
Then use eg. SSL explorer www.3sp.com to create a tunnel from the remote client to the server.


Cheers!
Yeah, you gotta change passwords when someone leaves for ANY reason.

I can confirm there are vulns in some versions of VNC, but you don't need a vuln if you know the password.

Proper forensic treatment of the affected machines is important if you want to prosecute.  It's probably too late for that.

I have never had to terminate a client relationship, but making THEM change MY passwords is on my list of things to do should it happen.

Author

Commented:
Thanks for the info...we pulled in a forensic expert from OnTrack and he confirmed our suspicions. Getting hard evidence is another thing entirely--but this definitely shows the signs of a deliberate, insider hack.

I really appreciate your thoughts! This is a huge impact for our client, and given what's at stake I didn't want to be wrong with our advise.

Normally we do advise to change passwords--this was an unusual situation where the guy stayed on to help for a while in a consulting role, but recently some things happened to make him disgruntled and we weren't told. This was so preventable!!!

Thanks again...
Wendy
CERTIFIED EXPERT

Commented:
Best of luck with it Wendy!

Thanks

-red
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.