• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 305
  • Last Modified:

who is hacking my system

I have a windows 2003 network with a password policy to lock the account after 3 failed logon
attemps. we have an employee that was let go about two weeks ago and we think she is trying everyones user name to try and get in. after she was let go user are calling me because thier accounts where locked, including my account. is there a way with server 2003 to get information on these events or do I need a 3rd party software.
0
jgajma
Asked:
jgajma
1 Solution
 
bitlaCommented:
Are you the Admin? if so how can your account be locked?

How can you give access to external users(internet users) to connect to your Domain, that's confusing me,

Only way an external user can access domain is by Remote connection. Make sure you have disable her  account or removed even in RDP .

To know who is doing

Look in the Event Viewer, you will find the ip address. Block that ip address.
Use a good firewall, or u can use Internet Security (AVG internet Security) which comes with firewall, Resident Shield, Online Shield, Identity Protection, and Anti virus.-spyware-rootkit etc features.
0
 
jgajmaAuthor Commented:
No the account i use is not an admin account, my user are allowed to use rdp to work from home.
Her acount has been deleted, I got an an0nymous email that she is trying everyoone else user name to  try and get in.
0
 
bitlaCommented:
Go to the Even Viewer, find the ip address and block the ipaddress.

You can even block that ip address using AVG Internet Security( Firewall. settings)

You can chat with me on gtalk vishwanath.bitla@gmail.com
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
bitlaCommented:
Auditing RDP

http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_26669680.html

We use Access Key in conjunction with normal login method (RDP), so when user leaves the company we takeaway the acces key from him, so he cant even connect to server.
0
 
bitlaCommented:
Sorry! I will keep in mind, it will not happen again
0
 
HapexamendiosCommented:
Hi,

Try this if you haven't already:

Download Microsoft's Account Lockout Tools:

http://www.microsoft.com/downloads/en/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Install these on your admin machine (avoid using a DC though).
Whilst all these tools are useful, the only one you'll probably need here is eventcombNT.exe.
Launch this, have a look at its intro message, and then click OK.
Go to the "Options" menu and then "Select Output Directory". From there, pick a folder to putwhat will be your text file results - perhaps make a folder for this purpose
In the main program, select the "Searches" menu, and go to "Built-in Searches >> Account Lockouts".
Click the "Search" button, and wait.

The program will then connect to all your domain controllers, and parse their Netlogon.log files for account lockout events, placing matching events in text files - one for each DC - in the output folder you created/selected earlier.

Now look at each file in turn.

Take a step back here, and think "what do I need?": you need to find out where bad passwords are coming from.
Use "Find" to search for an account which has been recently locked out.
In entries for the account in question, you want to track back to the first event you can find with the text "Failure code: 0x18". This is the point at which the account was locked out. Now, search for events which occured immediately before this chronologically, particularly those with the text "Failure code: 0x24" (code for "username OK, bad password").

Hopefully you've noticed that the IP address or hostname of the client sending the credentials is listed.
Therefore, a bit of repeating the above for a couple of your users' accounts will quickly show you if these account lockout events are all coming from the same IP, and hopefully to your culprit.

Hope it helps,
0
 
jasonhdzCommented:
Do you have a VPN in place? The windows event viewer will only provide you with logs on the user account trying to access.  I would suggest a third party auditing tool like Splunk which captures the syslogs and routing info to better understand where the user that is attempting to log is coming from.   Splunk has many apps that can assist (its time consuming though).   The most important info you need to gather is the IP where the individual is coming from and then you will find the location.  Check firewall logs and VPN if you have one.  If you had rules of behavior that you made the user sign, and you confirm the indovidual is a former employee, she can be prosecuted in the court of law.   But most important, check aidit loga from FW or VPN.  
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now