Solved

Server Security Breach - What did they access?

Posted on 2013-05-11
6
410 Views
Last Modified: 2013-06-19
I'm doing a server migration and this morning I walked into the server room and noticed that a former employee's login, who's user name hasn't been disabled had accessed the server. His name was in the login and I looked at the audit files and found that he logged on at 2am. He is in his 70's and they don't think that it is likely that he broke in remotely or physically but their password requirements suck, hence me being here to change things.

How can I tell what he has accessed? It's been years since I have had to look into this.


Server std 2003

Thanks in advance.
0
Comment
Question by:Thelogoguy
  • 3
  • 2
6 Comments
 

Author Comment

by:Thelogoguy
ID: 39158414
Anyone there?
0
 
LVL 16

Expert Comment

by:Carol Chisholm
ID: 39158482
So this 70 year old accessed the console? or someone else accessed the console with his username?

Who has the keys to the room?

What sort of logon event do you see. (it's in the event log)

Disable all other admin accounts and change your password.

I think no one is brave enough for 500 points... Late in the evening here.

This sort of thing is a nightmare, if it is a serious hacker you have a bottomless pit which could involve rebuilding everything. If it is a disgruntled employee you may be able to sort it out, as long as they are alone.

But really really a difficult situation. We need to know more about physical access, remote access, how many admins, and so on.
0
 

Author Comment

by:Thelogoguy
ID: 39158541
It was remote access, they did it at 2am and I found an IP from czech republic in event viewer.

It looks like he gave himself a bunch of privileges, he cleared the logs prior to 2am so I don't know what he did.

The old guy's password was not tough and he likely got in from that.

I'm interested to see if I can find out what he accessed.
0
Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

 
LVL 15

Accepted Solution

by:
Skyler Kincaid earned 500 total points
ID: 39158578
If you didn't have auditing turned on for the files it is going to be almost impossible. If I was you I would implement a password policy for all accounts and make them change their password at the next login.

As mentioned above, if there are any Domain Admin accounts they need to be cleaned up or have the passwords changed.

Clean up all the users accounts in AD that aren't being used and make sure that there isn't any accounts in groups that they shouldn't be.

If you are lucky you can check here:

C:\Documents and Settings\(His Account)\Local Settings\History

But I am sure that he deleted them.

You may be able to try something along these lines:

http://www.netwrix.com/file_server_reporting.html

But I don't know if it will show files accessed before it was installed.
0
 

Author Comment

by:Thelogoguy
ID: 39158619
Auditing is turned on but not for files. Here is what i can see in the event logs, it looks like he gave himself a bunch of privileges. I'm worried about the SeImpersonatePrivilege.


Privileges:      SeSecurityPrivilege
                  SeBackupPrivilege
                  SeRestorePrivilege
                  SeTakeOwnershipPrivilege
                  SeDebugPrivilege
                  SeSystemEnvironmentPrivilege
                  SeLoadDriverPrivilege
                  SeImpersonatePrivilege
                  SeEnableDelegationPrivilege
0
 
LVL 16

Expert Comment

by:Carol Chisholm
ID: 39159179
I would plan on rebuilding the whole thing as soon as possible.
As I'm sure you know the IP address may or may not the one where the hacker really is, so you have to imagine the worst.
You could also try a system file monitor, but if he is already in there, he could also work round that.
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question