[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Server Security Breach - What did they access?

Posted on 2013-05-11
6
Medium Priority
?
418 Views
Last Modified: 2013-06-19
I'm doing a server migration and this morning I walked into the server room and noticed that a former employee's login, who's user name hasn't been disabled had accessed the server. His name was in the login and I looked at the audit files and found that he logged on at 2am. He is in his 70's and they don't think that it is likely that he broke in remotely or physically but their password requirements suck, hence me being here to change things.

How can I tell what he has accessed? It's been years since I have had to look into this.


Server std 2003

Thanks in advance.
0
Comment
Question by:Thelogoguy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 

Author Comment

by:Thelogoguy
ID: 39158414
Anyone there?
0
 
LVL 16

Expert Comment

by:Carol Chisholm
ID: 39158482
So this 70 year old accessed the console? or someone else accessed the console with his username?

Who has the keys to the room?

What sort of logon event do you see. (it's in the event log)

Disable all other admin accounts and change your password.

I think no one is brave enough for 500 points... Late in the evening here.

This sort of thing is a nightmare, if it is a serious hacker you have a bottomless pit which could involve rebuilding everything. If it is a disgruntled employee you may be able to sort it out, as long as they are alone.

But really really a difficult situation. We need to know more about physical access, remote access, how many admins, and so on.
0
 

Author Comment

by:Thelogoguy
ID: 39158541
It was remote access, they did it at 2am and I found an IP from czech republic in event viewer.

It looks like he gave himself a bunch of privileges, he cleared the logs prior to 2am so I don't know what he did.

The old guy's password was not tough and he likely got in from that.

I'm interested to see if I can find out what he accessed.
0
Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

 
LVL 15

Accepted Solution

by:
Skyler Kincaid earned 2000 total points
ID: 39158578
If you didn't have auditing turned on for the files it is going to be almost impossible. If I was you I would implement a password policy for all accounts and make them change their password at the next login.

As mentioned above, if there are any Domain Admin accounts they need to be cleaned up or have the passwords changed.

Clean up all the users accounts in AD that aren't being used and make sure that there isn't any accounts in groups that they shouldn't be.

If you are lucky you can check here:

C:\Documents and Settings\(His Account)\Local Settings\History

But I am sure that he deleted them.

You may be able to try something along these lines:

http://www.netwrix.com/file_server_reporting.html

But I don't know if it will show files accessed before it was installed.
0
 

Author Comment

by:Thelogoguy
ID: 39158619
Auditing is turned on but not for files. Here is what i can see in the event logs, it looks like he gave himself a bunch of privileges. I'm worried about the SeImpersonatePrivilege.


Privileges:      SeSecurityPrivilege
                  SeBackupPrivilege
                  SeRestorePrivilege
                  SeTakeOwnershipPrivilege
                  SeDebugPrivilege
                  SeSystemEnvironmentPrivilege
                  SeLoadDriverPrivilege
                  SeImpersonatePrivilege
                  SeEnableDelegationPrivilege
0
 
LVL 16

Expert Comment

by:Carol Chisholm
ID: 39159179
I would plan on rebuilding the whole thing as soon as possible.
As I'm sure you know the IP address may or may not the one where the hacker really is, so you have to imagine the worst.
You could also try a system file monitor, but if he is already in there, he could also work round that.
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question