• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 432
  • Last Modified:

Server Security Breach - What did they access?

I'm doing a server migration and this morning I walked into the server room and noticed that a former employee's login, who's user name hasn't been disabled had accessed the server. His name was in the login and I looked at the audit files and found that he logged on at 2am. He is in his 70's and they don't think that it is likely that he broke in remotely or physically but their password requirements suck, hence me being here to change things.

How can I tell what he has accessed? It's been years since I have had to look into this.


Server std 2003

Thanks in advance.
0
Thelogoguy
Asked:
Thelogoguy
  • 3
  • 2
1 Solution
 
ThelogoguyAuthor Commented:
Anyone there?
0
 
Carol ChisholmCommented:
So this 70 year old accessed the console? or someone else accessed the console with his username?

Who has the keys to the room?

What sort of logon event do you see. (it's in the event log)

Disable all other admin accounts and change your password.

I think no one is brave enough for 500 points... Late in the evening here.

This sort of thing is a nightmare, if it is a serious hacker you have a bottomless pit which could involve rebuilding everything. If it is a disgruntled employee you may be able to sort it out, as long as they are alone.

But really really a difficult situation. We need to know more about physical access, remote access, how many admins, and so on.
0
 
ThelogoguyAuthor Commented:
It was remote access, they did it at 2am and I found an IP from czech republic in event viewer.

It looks like he gave himself a bunch of privileges, he cleared the logs prior to 2am so I don't know what he did.

The old guy's password was not tough and he likely got in from that.

I'm interested to see if I can find out what he accessed.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Skyler KincaidNetwork/Systems EngineerCommented:
If you didn't have auditing turned on for the files it is going to be almost impossible. If I was you I would implement a password policy for all accounts and make them change their password at the next login.

As mentioned above, if there are any Domain Admin accounts they need to be cleaned up or have the passwords changed.

Clean up all the users accounts in AD that aren't being used and make sure that there isn't any accounts in groups that they shouldn't be.

If you are lucky you can check here:

C:\Documents and Settings\(His Account)\Local Settings\History

But I am sure that he deleted them.

You may be able to try something along these lines:

http://www.netwrix.com/file_server_reporting.html

But I don't know if it will show files accessed before it was installed.
0
 
ThelogoguyAuthor Commented:
Auditing is turned on but not for files. Here is what i can see in the event logs, it looks like he gave himself a bunch of privileges. I'm worried about the SeImpersonatePrivilege.


Privileges:      SeSecurityPrivilege
                  SeBackupPrivilege
                  SeRestorePrivilege
                  SeTakeOwnershipPrivilege
                  SeDebugPrivilege
                  SeSystemEnvironmentPrivilege
                  SeLoadDriverPrivilege
                  SeImpersonatePrivilege
                  SeEnableDelegationPrivilege
0
 
Carol ChisholmCommented:
I would plan on rebuilding the whole thing as soon as possible.
As I'm sure you know the IP address may or may not the one where the hacker really is, so you have to imagine the worst.
You could also try a system file monitor, but if he is already in there, he could also work round that.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now