Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

who is hacking my system

Posted on 2011-03-14
8
Medium Priority
?
296 Views
Last Modified: 2012-06-22
I have a windows 2003 network with a password policy to lock the account after 3 failed logon
attemps. we have an employee that was let go about two weeks ago and we think she is trying everyones user name to try and get in. after she was let go user are calling me because thier accounts where locked, including my account. is there a way with server 2003 to get information on these events or do I need a 3rd party software.
0
Comment
Question by:jgajma
8 Comments
 
LVL 4

Expert Comment

by:bitla
ID: 35131748
Are you the Admin? if so how can your account be locked?

How can you give access to external users(internet users) to connect to your Domain, that's confusing me,

Only way an external user can access domain is by Remote connection. Make sure you have disable her  account or removed even in RDP .

To know who is doing

Look in the Event Viewer, you will find the ip address. Block that ip address.
Use a good firewall, or u can use Internet Security (AVG internet Security) which comes with firewall, Resident Shield, Online Shield, Identity Protection, and Anti virus.-spyware-rootkit etc features.
0
 

Author Comment

by:jgajma
ID: 35131918
No the account i use is not an admin account, my user are allowed to use rdp to work from home.
Her acount has been deleted, I got an an0nymous email that she is trying everyoone else user name to  try and get in.
0
 
LVL 4

Expert Comment

by:bitla
ID: 35132175
Go to the Even Viewer, find the ip address and block the ipaddress.

You can even block that ip address using AVG Internet Security( Firewall. settings)

You can chat with me on gtalk vishwanath.bitla@gmail.com
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 4

Expert Comment

by:bitla
ID: 35132915
Auditing RDP

http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_26669680.html

We use Access Key in conjunction with normal login method (RDP), so when user leaves the company we takeaway the acces key from him, so he cant even connect to server.
0
 
LVL 4

Expert Comment

by:bitla
ID: 35136290
Sorry! I will keep in mind, it will not happen again
0
 
LVL 2

Accepted Solution

by:
Hapexamendios earned 2000 total points
ID: 35136609
Hi,

Try this if you haven't already:

Download Microsoft's Account Lockout Tools:

http://www.microsoft.com/downloads/en/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Install these on your admin machine (avoid using a DC though).
Whilst all these tools are useful, the only one you'll probably need here is eventcombNT.exe.
Launch this, have a look at its intro message, and then click OK.
Go to the "Options" menu and then "Select Output Directory". From there, pick a folder to putwhat will be your text file results - perhaps make a folder for this purpose
In the main program, select the "Searches" menu, and go to "Built-in Searches >> Account Lockouts".
Click the "Search" button, and wait.

The program will then connect to all your domain controllers, and parse their Netlogon.log files for account lockout events, placing matching events in text files - one for each DC - in the output folder you created/selected earlier.

Now look at each file in turn.

Take a step back here, and think "what do I need?": you need to find out where bad passwords are coming from.
Use "Find" to search for an account which has been recently locked out.
In entries for the account in question, you want to track back to the first event you can find with the text "Failure code: 0x18". This is the point at which the account was locked out. Now, search for events which occured immediately before this chronologically, particularly those with the text "Failure code: 0x24" (code for "username OK, bad password").

Hopefully you've noticed that the IP address or hostname of the client sending the credentials is listed.
Therefore, a bit of repeating the above for a couple of your users' accounts will quickly show you if these account lockout events are all coming from the same IP, and hopefully to your culprit.

Hope it helps,
0
 
LVL 1

Expert Comment

by:jasonhdz
ID: 35147520
Do you have a VPN in place? The windows event viewer will only provide you with logs on the user account trying to access.  I would suggest a third party auditing tool like Splunk which captures the syslogs and routing info to better understand where the user that is attempting to log is coming from.   Splunk has many apps that can assist (its time consuming though).   The most important info you need to gather is the IP where the individual is coming from and then you will find the location.  Check firewall logs and VPN if you have one.  If you had rules of behavior that you made the user sign, and you confirm the indovidual is a former employee, she can be prosecuted in the court of law.   But most important, check aidit loga from FW or VPN.  
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Considering today’s continual security threats, which affect Information technology networks and systems worldwide, it is very important to practice basic security awareness. A normal system user can secure himself or herself by following these simp…
Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question