• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 212
  • Last Modified:

Possible hacker on on our network.

I believe someone on my network in a remote site is a "amateur hacker (her words to other employees). I have since had a few changes that seem suspicious. Anyone know of a good program to search for hidden utilities / programs / key loggers?

We have (2) 2003 servers (DC and TS). Her account was always logged on after hours to the TS (no one gets to DC) so I have since created idle rules in case any "tools" have been left running. I would like to cover all bases.
0
mburke3434
Asked:
mburke3434
  • 3
  • 3
  • 2
  • +1
2 Solutions
 
thecomputerdocsCommented:
It can be a very difficult process to find out whether you are 100% free of hackers, if there were no policies in place to prevent it initially. Therefore you may want to consider getting GFI Languard for starters. It's a pricy product, but I find it incredible in detecting open ports and applications running on each device.
Here's the link.....hope this helps....this is a great way to start. Once you patch up all the vulnerabilities, you can also run a netstat -a on each machine.
0
 
chingmdCommented:
You can also run other tools.  

nessus for windows.  It will probe your network for vunerabilities.  (This can also run destructive tests, so be careful.)  

rootkit detection tools will also help in finding unwanted backboors

Double checking best practices for management.

A good place for some tools www.insecure.org   www.cert.org

Cleaning up a hacked network can be tough.   If you can find subversion of processes in place by the amateur hacker, you may want to save it, close the account and bring it up to the management.

0
 
mburke3434Author Commented:
Thank You both for the speedy response.

"thecomputerdocs" your link did not show up. could you resend?

0
Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

 
Alan Huseyin KayahanCommented:
     Hi mburke3434
           "words to other employees" so does he/she send messages? Would you please describe the acts in details?
            Download and install "Security task manager" http://www.neuber.com/taskmanager . It shows the danger level of applications rnning in memory, pretty useful tool

Regards
0
 
mburke3434Author Commented:
The employee is surprisingly head of a department (New Hire). This individual's boyfriend is in the It field and she came in as one of those users who knew just enough for her to get into trouble. We all know the kind :). Now other employees have contacted me that the suspect she is in their machine and feel she is trying to gain access to passwords. These many employees have been with us a long time and I am friends with them on a personal level. So this is definitely alarmed me since they are not the Cry wolf types. Also they have stated first hand this employee told them about her affinity for hacking and that her boyfriend is a guru.

Now since then we have had some things I am uncomfortable with such as:

"      The user being logged on the TS all the time even though idle for hours. I have changed TS rules for idle users so that is resolved.
"      The users documents and settings files are non existent? They were moved on her own pc and I found them hidden in another users folder but on the TS there is no trace&
"      CheckPoint Personal Firewall was installed by the user on their pc.
0
 
thecomputerdocsCommented:
http://www.gfi.com/lannetscan/
Sorry I forgot to paste the link.
I love this tool, and it's definately worth it's weight in gold....especially for examining vulnerabilities and producing reports.
This is a great free tool as well. https://secure.logmein.com/products/scout/
It scans your network for some remote access tools.
You may want to consider having all employees sign an "acceptable use policy". This could state that they will not "hack" or attempt to gain access to unauthorized areas. It's a good document to have onhand in the event you need to terminate someone on that basis.
0
 
chingmdCommented:
It sounds like the user is logging into the machine, and modifying the group policies.   It's also possible that, if you grant all local users to admin rights to the3 local machine they she has removed herself from the domain.  That will negate all the domain policies.

Acceptable usage policy is paramount at this point.  Without there may much resource for some actions.  She would need to\ have gained access to HR records, financials, and HIPAA protected information.  

If you are in the domain admin group, you may be able to poke around on her machine.   \\machinename\c$

Roaming profile information is stored in the Active Directory Users and Computer applet.  There you con find out if the profile was set to that location.  Also check her permissions/group membership in the domain.


An interesting thought.   You said you found the profile "hidden" inside another one?     What about changing the security settings on the top level such that only the user and domain admins have rights into that profile.   It could "lock" her out of her profile.  

It is a scary thought to have to protect the network from your own users.  We already have to protect it from external sources, internal unaurthorized access (wireless, open network ports, and malwayre), but once you have to protect the network from the your own users, there's an issue.

Documentation will be very important here.  Especially, if the "hacking" isn't for bettering the company.  
  <Steps off soap box>

Another tool you might want to look at is  www.belarc.com   They have a machine profiling tool, great for personal use.  Commercially, you can ask for the demo.

It also lists a security rating for the machine and how to fix each one.   They use the cert.org recommendations on machine protection.

You are mired in a political/power/ethical conflict.   Protect yourself and the company.  

Another idea is reverse psychology, ask the heads of departments and above for ideas on network protection, acceptable use policy requests, and and hide it request for project requests for future solutions/services for the company.    You are asking the community for what they want to see and how the IT department can help.   (And bring it up the head of IT, or if you are the head if IT, your boss)  



0
 
thecomputerdocsCommented:
Very well said chingmd!!!!
0
 
mburke3434Author Commented:
Sorry everyone....got sidetracked....all input was greatly apreciated. Although nothing came of the scans I used this experience to shore up my network security and create GPO's for the terminal services. I changed all network passwords and to top everything off the manager in question was let go on Sunday for performance reasons. I found all items she tried to "hide" which proves I am smarter :).  I believe as I did from the begining that she was a talker more than anything. But always better safe than sorry.

Thanks again.

MB
0

Featured Post

Microsoft Certification Exam 74-409

VeeamĀ® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

  • 3
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now