Solved

Find Public IP / Other for Intruder

Posted on 2014-01-20
5
283 Views
Last Modified: 2014-02-03
Afternoon All -

My parents own a business and have had an employee working for them for about 15 years who was about my age (35) and that they treated like a son.  He decided to quit a few months ago for whatever reason.

Found out this morning that he just opened a new company which does exactly what he did before that will go in direct competition with my parents.  That's fine and all since competition is healty - however - he'd been trying to recruit some of my parent's current employees and was bragging about how he still remotes in and checks his email, has a copy of certain databases, as well as gets stuff from my father who gave him his password years ago.  I'm pissed.

I've already tightened security and changed everything.  Now gears have shifted to where I'm on the hunt.

I'm trying to find his public IP address / or may set a surprise for him the next time he logs in.  The problem is that the router is a consumer brand and logging is slim to none.  It's a Linksys E1500 which is connected to a Comcast Business Gateway.  I saw a list of all recent Incoming attempts on the E1500, but only showed about 15 events and most were WWW.

- If a user logs into Windows via RDP, does the security log show the source public IP?  
- Can I get further or more detailed logs by SSHing into router perhaps?
- Even though all is forwarded, think Comcast Gateway will have and logs?

Any ideas on what to check / look at to get this info or traps/honeypot to set?

Thanks Guys -
0
Comment
Question by:BzowK
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 23

Assisted Solution

by:Patrick Bogers
Patrick Bogers earned 166 total points
ID: 39794949
Hi

Traps and Honeypots are not things i want to get into because they are against any law but for identifying issues i would like to help.

Are you in a domain controller enviroment or have a local workgroup?

If the latter, below is applicable:
If someone RDP in a system it gets logged. If you filter the security event logs you should find the ip address under id 4648.  
Offcourse if there is a VPN tunnel created first you get to see an internal NAT ip address.
ID 4672 shows username used.
0
 
LVL 16

Assisted Solution

by:vivigatt
vivigatt earned 167 total points
ID: 39795632
All what comes to your "public" router has to have a "public IP address". It will then certainly be "his" address, but this address can change, if his ISP changes it for whatever reason. Some ISP do not provide the same IP addresses each time, some force changes.
However, everything that gets logged from "outside" will have a public IP address.

As Patricksr1972 mentioned, you will also find user names in the logs. I suggest that you enable success and failures in the security logs, then you will see who connects, when, etc. RDP (Terminal Server) has its own logs too.
0
 
LVL 9

Accepted Solution

by:
jfer0x01 earned 167 total points
ID: 39816900
Modalot has best answer. Call the cops. When employees leave / quit, change all passwords, deactivate all of the users account. Too late now though.

- If a user logs into Windows via RDP, does the security log show the source public IP?
If he is doing this, odds are   your Router is doing port forwarding to a box inside the network. The log file in your router could have this, but is seems you already checked.
 
- Can I get further or more detailed logs by SSHing into router perhaps?
Yes. Most routers run some form of busybox, but ssh is usually disabled or unavailable in common routers. If you cannot enable it, then ssh cannot be done with out removing the original filesystem and thus your logs.

- Even though all is forwarded, think Comcast Gateway will have and logs?
Yes. The SMC device does have logs.

If you are serious about prosecution, hire a pro to do this. Get witnesses to do sworn statements about admitting intrusions after leaving job. This carries a lot a weight vs log files that a jude does not understand.

Good luck, hope this helps.

Jfer
0
 

Author Comment

by:BzowK
ID: 39830600
I'm not trying to cause damage or do illegal things, but do want to defend my information.  Thanks guys
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question