Solved

who is hacking my system

Posted on 2011-03-14
8
274 Views
Last Modified: 2012-06-22
I have a windows 2003 network with a password policy to lock the account after 3 failed logon
attemps. we have an employee that was let go about two weeks ago and we think she is trying everyones user name to try and get in. after she was let go user are calling me because thier accounts where locked, including my account. is there a way with server 2003 to get information on these events or do I need a 3rd party software.
0
Comment
Question by:jgajma
8 Comments
 
LVL 4

Expert Comment

by:bitla
ID: 35131748
Are you the Admin? if so how can your account be locked?

How can you give access to external users(internet users) to connect to your Domain, that's confusing me,

Only way an external user can access domain is by Remote connection. Make sure you have disable her  account or removed even in RDP .

To know who is doing

Look in the Event Viewer, you will find the ip address. Block that ip address.
Use a good firewall, or u can use Internet Security (AVG internet Security) which comes with firewall, Resident Shield, Online Shield, Identity Protection, and Anti virus.-spyware-rootkit etc features.
0
 

Author Comment

by:jgajma
ID: 35131918
No the account i use is not an admin account, my user are allowed to use rdp to work from home.
Her acount has been deleted, I got an an0nymous email that she is trying everyoone else user name to  try and get in.
0
 
LVL 4

Expert Comment

by:bitla
ID: 35132175
Go to the Even Viewer, find the ip address and block the ipaddress.

You can even block that ip address using AVG Internet Security( Firewall. settings)

You can chat with me on gtalk vishwanath.bitla@gmail.com
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 4

Expert Comment

by:bitla
ID: 35132915
Auditing RDP

http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_26669680.html

We use Access Key in conjunction with normal login method (RDP), so when user leaves the company we takeaway the acces key from him, so he cant even connect to server.
0
 
LVL 4

Expert Comment

by:bitla
ID: 35136290
Sorry! I will keep in mind, it will not happen again
0
 
LVL 2

Accepted Solution

by:
Hapexamendios earned 500 total points
ID: 35136609
Hi,

Try this if you haven't already:

Download Microsoft's Account Lockout Tools:

http://www.microsoft.com/downloads/en/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Install these on your admin machine (avoid using a DC though).
Whilst all these tools are useful, the only one you'll probably need here is eventcombNT.exe.
Launch this, have a look at its intro message, and then click OK.
Go to the "Options" menu and then "Select Output Directory". From there, pick a folder to putwhat will be your text file results - perhaps make a folder for this purpose
In the main program, select the "Searches" menu, and go to "Built-in Searches >> Account Lockouts".
Click the "Search" button, and wait.

The program will then connect to all your domain controllers, and parse their Netlogon.log files for account lockout events, placing matching events in text files - one for each DC - in the output folder you created/selected earlier.

Now look at each file in turn.

Take a step back here, and think "what do I need?": you need to find out where bad passwords are coming from.
Use "Find" to search for an account which has been recently locked out.
In entries for the account in question, you want to track back to the first event you can find with the text "Failure code: 0x18". This is the point at which the account was locked out. Now, search for events which occured immediately before this chronologically, particularly those with the text "Failure code: 0x24" (code for "username OK, bad password").

Hopefully you've noticed that the IP address or hostname of the client sending the credentials is listed.
Therefore, a bit of repeating the above for a couple of your users' accounts will quickly show you if these account lockout events are all coming from the same IP, and hopefully to your culprit.

Hope it helps,
0
 
LVL 1

Expert Comment

by:jasonhdz
ID: 35147520
Do you have a VPN in place? The windows event viewer will only provide you with logs on the user account trying to access.  I would suggest a third party auditing tool like Splunk which captures the syslogs and routing info to better understand where the user that is attempting to log is coming from.   Splunk has many apps that can assist (its time consuming though).   The most important info you need to gather is the IP where the individual is coming from and then you will find the location.  Check firewall logs and VPN if you have one.  If you had rules of behavior that you made the user sign, and you confirm the indovidual is a former employee, she can be prosecuted in the court of law.   But most important, check aidit loga from FW or VPN.  
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With healthcare moving into the digital age with things like Healthcare.gov, the digitization of patient records and video conferencing with patients, data has a much greater chance of being exposed than ever before.
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question