Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

opinion needed--were we hacked?

Posted on 2006-11-07
5
Medium Priority
?
165 Views
Last Modified: 2013-12-04
Here's the situation...a few weeks ago, the backup mysteriously stopped running, no error messages or anything; it just stopped about 10% of the way through. Two weeks after that, the Windows server suddenly got infected with an assortment of nearly 200 viruses and trojans simultaneously. In the midst of that, a critical database disappeared...

We also saw a number of VNC logins, both around the time the backup stopped and the time of the virus release. Just a handful each time, not dozens or hundreds. And the IP addresses in the logs showed logins coming from sites around the world.

So...I can't think of any explanation other than that we were hacked by an insider. It seems like too many coincidences to be anything else. However, it's a pretty serious charge, and if there's any other likely or even reasonable explanation, I need to know.

One more bit of info that may be biasing us--or maybe not--is that a former employee made threats and would have been able to guess the password if he didn't already know it. He's the one who set up VNC on the server.


Thoughts, advice, insights? Your help is much appreciated!

Wendy
0
Comment
Question by:cioservices
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 39

Accepted Solution

by:
redseatechnologies earned 800 total points
ID: 17895160
The backups and the viruses could be a mistake - disappearing databases is what is making me wonder.

There are known vulnerabilities in RealVNC, depending on the version - and assuming you have RealVNC as you VNC program.

The fact that someone threatened to do it, and it shows someone log in around that time - i would imagine it is almost certain a hack

Call the cops!

-red
0
 
LVL 9

Assisted Solution

by:trenes
trenes earned 600 total points
ID: 17895921
Hi redseatechnologies,

Yup this is an issue for the FBI.
If you want to have a VNC server make sure it can only accept localhost connections.
Then use eg. SSL explorer www.3sp.com to create a tunnel from the remote client to the server.


Cheers!
0
 
LVL 4

Assisted Solution

by:StonewallJacoby
StonewallJacoby earned 600 total points
ID: 17903695
Yeah, you gotta change passwords when someone leaves for ANY reason.

I can confirm there are vulns in some versions of VNC, but you don't need a vuln if you know the password.

Proper forensic treatment of the affected machines is important if you want to prosecute.  It's probably too late for that.

I have never had to terminate a client relationship, but making THEM change MY passwords is on my list of things to do should it happen.
0
 

Author Comment

by:cioservices
ID: 17919623
Thanks for the info...we pulled in a forensic expert from OnTrack and he confirmed our suspicions. Getting hard evidence is another thing entirely--but this definitely shows the signs of a deliberate, insider hack.

I really appreciate your thoughts! This is a huge impact for our client, and given what's at stake I didn't want to be wrong with our advise.

Normally we do advise to change passwords--this was an unusual situation where the guy stayed on to help for a while in a consulting role, but recently some things happened to make him disgruntled and we weren't told. This was so preventable!!!

Thanks again...
Wendy
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 17920409
Best of luck with it Wendy!

Thanks

-red
0

Featured Post

Enroll in September's Course of the Month

This month’s featured course covers 16 hours of training in installation, management, and deployment of VMware vSphere virtualization environments. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
OfficeMate Freezes on login or does not load after login credentials are input.
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question