Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

who is hacking my system

Posted on 2011-03-14
8
Medium Priority
?
290 Views
Last Modified: 2012-06-22
I have a windows 2003 network with a password policy to lock the account after 3 failed logon
attemps. we have an employee that was let go about two weeks ago and we think she is trying everyones user name to try and get in. after she was let go user are calling me because thier accounts where locked, including my account. is there a way with server 2003 to get information on these events or do I need a 3rd party software.
0
Comment
Question by:jgajma
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 4

Expert Comment

by:bitla
ID: 35131748
Are you the Admin? if so how can your account be locked?

How can you give access to external users(internet users) to connect to your Domain, that's confusing me,

Only way an external user can access domain is by Remote connection. Make sure you have disable her  account or removed even in RDP .

To know who is doing

Look in the Event Viewer, you will find the ip address. Block that ip address.
Use a good firewall, or u can use Internet Security (AVG internet Security) which comes with firewall, Resident Shield, Online Shield, Identity Protection, and Anti virus.-spyware-rootkit etc features.
0
 

Author Comment

by:jgajma
ID: 35131918
No the account i use is not an admin account, my user are allowed to use rdp to work from home.
Her acount has been deleted, I got an an0nymous email that she is trying everyoone else user name to  try and get in.
0
 
LVL 4

Expert Comment

by:bitla
ID: 35132175
Go to the Even Viewer, find the ip address and block the ipaddress.

You can even block that ip address using AVG Internet Security( Firewall. settings)

You can chat with me on gtalk vishwanath.bitla@gmail.com
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 
LVL 4

Expert Comment

by:bitla
ID: 35132915
Auditing RDP

http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_26669680.html

We use Access Key in conjunction with normal login method (RDP), so when user leaves the company we takeaway the acces key from him, so he cant even connect to server.
0
 
LVL 4

Expert Comment

by:bitla
ID: 35136290
Sorry! I will keep in mind, it will not happen again
0
 
LVL 2

Accepted Solution

by:
Hapexamendios earned 2000 total points
ID: 35136609
Hi,

Try this if you haven't already:

Download Microsoft's Account Lockout Tools:

http://www.microsoft.com/downloads/en/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Install these on your admin machine (avoid using a DC though).
Whilst all these tools are useful, the only one you'll probably need here is eventcombNT.exe.
Launch this, have a look at its intro message, and then click OK.
Go to the "Options" menu and then "Select Output Directory". From there, pick a folder to putwhat will be your text file results - perhaps make a folder for this purpose
In the main program, select the "Searches" menu, and go to "Built-in Searches >> Account Lockouts".
Click the "Search" button, and wait.

The program will then connect to all your domain controllers, and parse their Netlogon.log files for account lockout events, placing matching events in text files - one for each DC - in the output folder you created/selected earlier.

Now look at each file in turn.

Take a step back here, and think "what do I need?": you need to find out where bad passwords are coming from.
Use "Find" to search for an account which has been recently locked out.
In entries for the account in question, you want to track back to the first event you can find with the text "Failure code: 0x18". This is the point at which the account was locked out. Now, search for events which occured immediately before this chronologically, particularly those with the text "Failure code: 0x24" (code for "username OK, bad password").

Hopefully you've noticed that the IP address or hostname of the client sending the credentials is listed.
Therefore, a bit of repeating the above for a couple of your users' accounts will quickly show you if these account lockout events are all coming from the same IP, and hopefully to your culprit.

Hope it helps,
0
 
LVL 1

Expert Comment

by:jasonhdz
ID: 35147520
Do you have a VPN in place? The windows event viewer will only provide you with logs on the user account trying to access.  I would suggest a third party auditing tool like Splunk which captures the syslogs and routing info to better understand where the user that is attempting to log is coming from.   Splunk has many apps that can assist (its time consuming though).   The most important info you need to gather is the IP where the individual is coming from and then you will find the location.  Check firewall logs and VPN if you have one.  If you had rules of behavior that you made the user sign, and you confirm the indovidual is a former employee, she can be prosecuted in the court of law.   But most important, check aidit loga from FW or VPN.  
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the rising number of cyber attacks in recent years, keeping your personal data safe has become more important than ever. The tips outlined in this article will help you keep your identitfy safe.
Let's recap what we learned from yesterday's Skyport Systems webinar.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question