Solved

who is hacking my system

Posted on 2011-03-14
8
286 Views
Last Modified: 2012-06-22
I have a windows 2003 network with a password policy to lock the account after 3 failed logon
attemps. we have an employee that was let go about two weeks ago and we think she is trying everyones user name to try and get in. after she was let go user are calling me because thier accounts where locked, including my account. is there a way with server 2003 to get information on these events or do I need a 3rd party software.
0
Comment
Question by:jgajma
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 4

Expert Comment

by:bitla
ID: 35131748
Are you the Admin? if so how can your account be locked?

How can you give access to external users(internet users) to connect to your Domain, that's confusing me,

Only way an external user can access domain is by Remote connection. Make sure you have disable her  account or removed even in RDP .

To know who is doing

Look in the Event Viewer, you will find the ip address. Block that ip address.
Use a good firewall, or u can use Internet Security (AVG internet Security) which comes with firewall, Resident Shield, Online Shield, Identity Protection, and Anti virus.-spyware-rootkit etc features.
0
 

Author Comment

by:jgajma
ID: 35131918
No the account i use is not an admin account, my user are allowed to use rdp to work from home.
Her acount has been deleted, I got an an0nymous email that she is trying everyoone else user name to  try and get in.
0
 
LVL 4

Expert Comment

by:bitla
ID: 35132175
Go to the Even Viewer, find the ip address and block the ipaddress.

You can even block that ip address using AVG Internet Security( Firewall. settings)

You can chat with me on gtalk vishwanath.bitla@gmail.com
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 4

Expert Comment

by:bitla
ID: 35132915
Auditing RDP

http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_26669680.html

We use Access Key in conjunction with normal login method (RDP), so when user leaves the company we takeaway the acces key from him, so he cant even connect to server.
0
 
LVL 4

Expert Comment

by:bitla
ID: 35136290
Sorry! I will keep in mind, it will not happen again
0
 
LVL 2

Accepted Solution

by:
Hapexamendios earned 500 total points
ID: 35136609
Hi,

Try this if you haven't already:

Download Microsoft's Account Lockout Tools:

http://www.microsoft.com/downloads/en/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Install these on your admin machine (avoid using a DC though).
Whilst all these tools are useful, the only one you'll probably need here is eventcombNT.exe.
Launch this, have a look at its intro message, and then click OK.
Go to the "Options" menu and then "Select Output Directory". From there, pick a folder to putwhat will be your text file results - perhaps make a folder for this purpose
In the main program, select the "Searches" menu, and go to "Built-in Searches >> Account Lockouts".
Click the "Search" button, and wait.

The program will then connect to all your domain controllers, and parse their Netlogon.log files for account lockout events, placing matching events in text files - one for each DC - in the output folder you created/selected earlier.

Now look at each file in turn.

Take a step back here, and think "what do I need?": you need to find out where bad passwords are coming from.
Use "Find" to search for an account which has been recently locked out.
In entries for the account in question, you want to track back to the first event you can find with the text "Failure code: 0x18". This is the point at which the account was locked out. Now, search for events which occured immediately before this chronologically, particularly those with the text "Failure code: 0x24" (code for "username OK, bad password").

Hopefully you've noticed that the IP address or hostname of the client sending the credentials is listed.
Therefore, a bit of repeating the above for a couple of your users' accounts will quickly show you if these account lockout events are all coming from the same IP, and hopefully to your culprit.

Hope it helps,
0
 
LVL 1

Expert Comment

by:jasonhdz
ID: 35147520
Do you have a VPN in place? The windows event viewer will only provide you with logs on the user account trying to access.  I would suggest a third party auditing tool like Splunk which captures the syslogs and routing info to better understand where the user that is attempting to log is coming from.   Splunk has many apps that can assist (its time consuming though).   The most important info you need to gather is the IP where the individual is coming from and then you will find the location.  Check firewall logs and VPN if you have one.  If you had rules of behavior that you made the user sign, and you confirm the indovidual is a former employee, she can be prosecuted in the court of law.   But most important, check aidit loga from FW or VPN.  
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: Justin
In light of the WannaCry ransomware attack that affected millions of Windows machines, you might wonder if your Mac needs protecting. Yes, it does and here is how to do it.
With the rising number of cyber attacks in recent years, keeping your personal data safe has become more important than ever. The tips outlined in this article will help you keep your identitfy safe.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question