Possible hacker on on our network.

I believe someone on my network in a remote site is a "amateur hacker (her words to other employees). I have since had a few changes that seem suspicious. Anyone know of a good program to search for hidden utilities / programs / key loggers?

We have (2) 2003 servers (DC and TS). Her account was always logged on after hours to the TS (no one gets to DC) so I have since created idle rules in case any "tools" have been left running. I would like to cover all bases.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

It can be a very difficult process to find out whether you are 100% free of hackers, if there were no policies in place to prevent it initially. Therefore you may want to consider getting GFI Languard for starters. It's a pricy product, but I find it incredible in detecting open ports and applications running on each device.
Here's the link.....hope this helps....this is a great way to start. Once you patch up all the vulnerabilities, you can also run a netstat -a on each machine.

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
You can also run other tools.  

nessus for windows.  It will probe your network for vunerabilities.  (This can also run destructive tests, so be careful.)  

rootkit detection tools will also help in finding unwanted backboors

Double checking best practices for management.

A good place for some tools www.insecure.org   www.cert.org

Cleaning up a hacked network can be tough.   If you can find subversion of processes in place by the amateur hacker, you may want to save it, close the account and bring it up to the management.

mburke3434Author Commented:
Thank You both for the speedy response.

"thecomputerdocs" your link did not show up. could you resend?

Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

Alan Huseyin KayahanCommented:
     Hi mburke3434
           "words to other employees" so does he/she send messages? Would you please describe the acts in details?
            Download and install "Security task manager" http://www.neuber.com/taskmanager . It shows the danger level of applications rnning in memory, pretty useful tool

mburke3434Author Commented:
The employee is surprisingly head of a department (New Hire). This individual's boyfriend is in the It field and she came in as one of those users who knew just enough for her to get into trouble. We all know the kind :). Now other employees have contacted me that the suspect she is in their machine and feel she is trying to gain access to passwords. These many employees have been with us a long time and I am friends with them on a personal level. So this is definitely alarmed me since they are not the Cry wolf types. Also they have stated first hand this employee told them about her affinity for hacking and that her boyfriend is a guru.

Now since then we have had some things I am uncomfortable with such as:

"      The user being logged on the TS all the time even though idle for hours. I have changed TS rules for idle users so that is resolved.
"      The users documents and settings files are non existent? They were moved on her own pc and I found them hidden in another users folder but on the TS there is no trace&
"      CheckPoint Personal Firewall was installed by the user on their pc.
Sorry I forgot to paste the link.
I love this tool, and it's definately worth it's weight in gold....especially for examining vulnerabilities and producing reports.
This is a great free tool as well. https://secure.logmein.com/products/scout/
It scans your network for some remote access tools.
You may want to consider having all employees sign an "acceptable use policy". This could state that they will not "hack" or attempt to gain access to unauthorized areas. It's a good document to have onhand in the event you need to terminate someone on that basis.
It sounds like the user is logging into the machine, and modifying the group policies.   It's also possible that, if you grant all local users to admin rights to the3 local machine they she has removed herself from the domain.  That will negate all the domain policies.

Acceptable usage policy is paramount at this point.  Without there may much resource for some actions.  She would need to\ have gained access to HR records, financials, and HIPAA protected information.  

If you are in the domain admin group, you may be able to poke around on her machine.   \\machinename\c$

Roaming profile information is stored in the Active Directory Users and Computer applet.  There you con find out if the profile was set to that location.  Also check her permissions/group membership in the domain.

An interesting thought.   You said you found the profile "hidden" inside another one?     What about changing the security settings on the top level such that only the user and domain admins have rights into that profile.   It could "lock" her out of her profile.  

It is a scary thought to have to protect the network from your own users.  We already have to protect it from external sources, internal unaurthorized access (wireless, open network ports, and malwayre), but once you have to protect the network from the your own users, there's an issue.

Documentation will be very important here.  Especially, if the "hacking" isn't for bettering the company.  
  <Steps off soap box>

Another tool you might want to look at is  www.belarc.com   They have a machine profiling tool, great for personal use.  Commercially, you can ask for the demo.

It also lists a security rating for the machine and how to fix each one.   They use the cert.org recommendations on machine protection.

You are mired in a political/power/ethical conflict.   Protect yourself and the company.  

Another idea is reverse psychology, ask the heads of departments and above for ideas on network protection, acceptable use policy requests, and and hide it request for project requests for future solutions/services for the company.    You are asking the community for what they want to see and how the IT department can help.   (And bring it up the head of IT, or if you are the head if IT, your boss)  

Very well said chingmd!!!!
mburke3434Author Commented:
Sorry everyone....got sidetracked....all input was greatly apreciated. Although nothing came of the scans I used this experience to shore up my network security and create GPO's for the terminal services. I changed all network passwords and to top everything off the manager in question was let go on Sunday for performance reasons. I found all items she tried to "hide" which proves I am smarter :).  I believe as I did from the begining that she was a talker more than anything. But always better safe than sorry.

Thanks again.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.