Possible hacker on on our network.

Posted on 2007-10-06
Last Modified: 2013-11-21
I believe someone on my network in a remote site is a "amateur hacker (her words to other employees). I have since had a few changes that seem suspicious. Anyone know of a good program to search for hidden utilities / programs / key loggers?

We have (2) 2003 servers (DC and TS). Her account was always logged on after hours to the TS (no one gets to DC) so I have since created idle rules in case any "tools" have been left running. I would like to cover all bases.
Question by:mburke3434
    LVL 5

    Accepted Solution

    It can be a very difficult process to find out whether you are 100% free of hackers, if there were no policies in place to prevent it initially. Therefore you may want to consider getting GFI Languard for starters. It's a pricy product, but I find it incredible in detecting open ports and applications running on each device.
    Here's the link.....hope this helps....this is a great way to start. Once you patch up all the vulnerabilities, you can also run a netstat -a on each machine.
    LVL 9

    Assisted Solution

    You can also run other tools.  

    nessus for windows.  It will probe your network for vunerabilities.  (This can also run destructive tests, so be careful.)  

    rootkit detection tools will also help in finding unwanted backboors

    Double checking best practices for management.

    A good place for some tools

    Cleaning up a hacked network can be tough.   If you can find subversion of processes in place by the amateur hacker, you may want to save it, close the account and bring it up to the management.


    Author Comment

    Thank You both for the speedy response.

    "thecomputerdocs" your link did not show up. could you resend?

    LVL 29

    Expert Comment

    by:Alan Huseyin Kayahan
         Hi mburke3434
               "words to other employees" so does he/she send messages? Would you please describe the acts in details?
                Download and install "Security task manager" . It shows the danger level of applications rnning in memory, pretty useful tool


    Author Comment

    The employee is surprisingly head of a department (New Hire). This individual's boyfriend is in the It field and she came in as one of those users who knew just enough for her to get into trouble. We all know the kind :). Now other employees have contacted me that the suspect she is in their machine and feel she is trying to gain access to passwords. These many employees have been with us a long time and I am friends with them on a personal level. So this is definitely alarmed me since they are not the Cry wolf types. Also they have stated first hand this employee told them about her affinity for hacking and that her boyfriend is a guru.

    Now since then we have had some things I am uncomfortable with such as:

    "      The user being logged on the TS all the time even though idle for hours. I have changed TS rules for idle users so that is resolved.
    "      The users documents and settings files are non existent? They were moved on her own pc and I found them hidden in another users folder but on the TS there is no trace&
    "      CheckPoint Personal Firewall was installed by the user on their pc.
    LVL 5

    Expert Comment

    Sorry I forgot to paste the link.
    I love this tool, and it's definately worth it's weight in gold....especially for examining vulnerabilities and producing reports.
    This is a great free tool as well.
    It scans your network for some remote access tools.
    You may want to consider having all employees sign an "acceptable use policy". This could state that they will not "hack" or attempt to gain access to unauthorized areas. It's a good document to have onhand in the event you need to terminate someone on that basis.
    LVL 9

    Expert Comment

    It sounds like the user is logging into the machine, and modifying the group policies.   It's also possible that, if you grant all local users to admin rights to the3 local machine they she has removed herself from the domain.  That will negate all the domain policies.

    Acceptable usage policy is paramount at this point.  Without there may much resource for some actions.  She would need to\ have gained access to HR records, financials, and HIPAA protected information.  

    If you are in the domain admin group, you may be able to poke around on her machine.   \\machinename\c$

    Roaming profile information is stored in the Active Directory Users and Computer applet.  There you con find out if the profile was set to that location.  Also check her permissions/group membership in the domain.

    An interesting thought.   You said you found the profile "hidden" inside another one?     What about changing the security settings on the top level such that only the user and domain admins have rights into that profile.   It could "lock" her out of her profile.  

    It is a scary thought to have to protect the network from your own users.  We already have to protect it from external sources, internal unaurthorized access (wireless, open network ports, and malwayre), but once you have to protect the network from the your own users, there's an issue.

    Documentation will be very important here.  Especially, if the "hacking" isn't for bettering the company.  
      <Steps off soap box>

    Another tool you might want to look at is   They have a machine profiling tool, great for personal use.  Commercially, you can ask for the demo.

    It also lists a security rating for the machine and how to fix each one.   They use the recommendations on machine protection.

    You are mired in a political/power/ethical conflict.   Protect yourself and the company.  

    Another idea is reverse psychology, ask the heads of departments and above for ideas on network protection, acceptable use policy requests, and and hide it request for project requests for future solutions/services for the company.    You are asking the community for what they want to see and how the IT department can help.   (And bring it up the head of IT, or if you are the head if IT, your boss)  

    LVL 5

    Expert Comment

    Very well said chingmd!!!!

    Author Comment

    Sorry sidetracked....all input was greatly apreciated. Although nothing came of the scans I used this experience to shore up my network security and create GPO's for the terminal services. I changed all network passwords and to top everything off the manager in question was let go on Sunday for performance reasons. I found all items she tried to "hide" which proves I am smarter :).  I believe as I did from the begining that she was a talker more than anything. But always better safe than sorry.

    Thanks again.


    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now