Solved

Server Security Breach - What did they access?

Posted on 2013-05-11
6
414 Views
Last Modified: 2013-06-19
I'm doing a server migration and this morning I walked into the server room and noticed that a former employee's login, who's user name hasn't been disabled had accessed the server. His name was in the login and I looked at the audit files and found that he logged on at 2am. He is in his 70's and they don't think that it is likely that he broke in remotely or physically but their password requirements suck, hence me being here to change things.

How can I tell what he has accessed? It's been years since I have had to look into this.


Server std 2003

Thanks in advance.
0
Comment
Question by:Thelogoguy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 

Author Comment

by:Thelogoguy
ID: 39158414
Anyone there?
0
 
LVL 16

Expert Comment

by:Carol Chisholm
ID: 39158482
So this 70 year old accessed the console? or someone else accessed the console with his username?

Who has the keys to the room?

What sort of logon event do you see. (it's in the event log)

Disable all other admin accounts and change your password.

I think no one is brave enough for 500 points... Late in the evening here.

This sort of thing is a nightmare, if it is a serious hacker you have a bottomless pit which could involve rebuilding everything. If it is a disgruntled employee you may be able to sort it out, as long as they are alone.

But really really a difficult situation. We need to know more about physical access, remote access, how many admins, and so on.
0
 

Author Comment

by:Thelogoguy
ID: 39158541
It was remote access, they did it at 2am and I found an IP from czech republic in event viewer.

It looks like he gave himself a bunch of privileges, he cleared the logs prior to 2am so I don't know what he did.

The old guy's password was not tough and he likely got in from that.

I'm interested to see if I can find out what he accessed.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 15

Accepted Solution

by:
Skyler Kincaid earned 500 total points
ID: 39158578
If you didn't have auditing turned on for the files it is going to be almost impossible. If I was you I would implement a password policy for all accounts and make them change their password at the next login.

As mentioned above, if there are any Domain Admin accounts they need to be cleaned up or have the passwords changed.

Clean up all the users accounts in AD that aren't being used and make sure that there isn't any accounts in groups that they shouldn't be.

If you are lucky you can check here:

C:\Documents and Settings\(His Account)\Local Settings\History

But I am sure that he deleted them.

You may be able to try something along these lines:

http://www.netwrix.com/file_server_reporting.html

But I don't know if it will show files accessed before it was installed.
0
 

Author Comment

by:Thelogoguy
ID: 39158619
Auditing is turned on but not for files. Here is what i can see in the event logs, it looks like he gave himself a bunch of privileges. I'm worried about the SeImpersonatePrivilege.


Privileges:      SeSecurityPrivilege
                  SeBackupPrivilege
                  SeRestorePrivilege
                  SeTakeOwnershipPrivilege
                  SeDebugPrivilege
                  SeSystemEnvironmentPrivilege
                  SeLoadDriverPrivilege
                  SeImpersonatePrivilege
                  SeEnableDelegationPrivilege
0
 
LVL 16

Expert Comment

by:Carol Chisholm
ID: 39159179
I would plan on rebuilding the whole thing as soon as possible.
As I'm sure you know the IP address may or may not the one where the hacker really is, so you have to imagine the worst.
You could also try a system file monitor, but if he is already in there, he could also work round that.
0

Featured Post

Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ready for our next Course of the Month? Here's what's on tap for June.
Liquid Web and Plesk discuss how to simplify server management with a single tool  in their webinar.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question