Solved

Server Security Breach - What did they access?

Posted on 2013-05-11
6
404 Views
Last Modified: 2013-06-19
I'm doing a server migration and this morning I walked into the server room and noticed that a former employee's login, who's user name hasn't been disabled had accessed the server. His name was in the login and I looked at the audit files and found that he logged on at 2am. He is in his 70's and they don't think that it is likely that he broke in remotely or physically but their password requirements suck, hence me being here to change things.

How can I tell what he has accessed? It's been years since I have had to look into this.


Server std 2003

Thanks in advance.
0
Comment
Question by:Thelogoguy
  • 3
  • 2
6 Comments
 

Author Comment

by:Thelogoguy
ID: 39158414
Anyone there?
0
 
LVL 16

Expert Comment

by:Carol Chisholm
ID: 39158482
So this 70 year old accessed the console? or someone else accessed the console with his username?

Who has the keys to the room?

What sort of logon event do you see. (it's in the event log)

Disable all other admin accounts and change your password.

I think no one is brave enough for 500 points... Late in the evening here.

This sort of thing is a nightmare, if it is a serious hacker you have a bottomless pit which could involve rebuilding everything. If it is a disgruntled employee you may be able to sort it out, as long as they are alone.

But really really a difficult situation. We need to know more about physical access, remote access, how many admins, and so on.
0
 

Author Comment

by:Thelogoguy
ID: 39158541
It was remote access, they did it at 2am and I found an IP from czech republic in event viewer.

It looks like he gave himself a bunch of privileges, he cleared the logs prior to 2am so I don't know what he did.

The old guy's password was not tough and he likely got in from that.

I'm interested to see if I can find out what he accessed.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 15

Accepted Solution

by:
Skyler Kincaid earned 500 total points
ID: 39158578
If you didn't have auditing turned on for the files it is going to be almost impossible. If I was you I would implement a password policy for all accounts and make them change their password at the next login.

As mentioned above, if there are any Domain Admin accounts they need to be cleaned up or have the passwords changed.

Clean up all the users accounts in AD that aren't being used and make sure that there isn't any accounts in groups that they shouldn't be.

If you are lucky you can check here:

C:\Documents and Settings\(His Account)\Local Settings\History

But I am sure that he deleted them.

You may be able to try something along these lines:

http://www.netwrix.com/file_server_reporting.html

But I don't know if it will show files accessed before it was installed.
0
 

Author Comment

by:Thelogoguy
ID: 39158619
Auditing is turned on but not for files. Here is what i can see in the event logs, it looks like he gave himself a bunch of privileges. I'm worried about the SeImpersonatePrivilege.


Privileges:      SeSecurityPrivilege
                  SeBackupPrivilege
                  SeRestorePrivilege
                  SeTakeOwnershipPrivilege
                  SeDebugPrivilege
                  SeSystemEnvironmentPrivilege
                  SeLoadDriverPrivilege
                  SeImpersonatePrivilege
                  SeEnableDelegationPrivilege
0
 
LVL 16

Expert Comment

by:Carol Chisholm
ID: 39159179
I would plan on rebuilding the whole thing as soon as possible.
As I'm sure you know the IP address may or may not the one where the hacker really is, so you have to imagine the worst.
You could also try a system file monitor, but if he is already in there, he could also work round that.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now