Solved

IT employee leaving - made statement that he has back doors

Posted on 2014-09-16
17
154 Views
Last Modified: 2014-10-01
Someone on our IT team is leaving on his own accord.  About a month ago before he gave notice he made a comment to me in passing that no one would find the various back doors he had hidden on the network.  Short of hiring a network security consultant to completely test our network are there any programs or tips from you guys on how to see if its real or not?
We have ASA firewalls in our datacenters of which he never had access to.  he does have access to 2003, 2008 and 2012 servers
0
Comment
Question by:atrevido
  • 4
  • 3
  • 3
  • +6
17 Comments
 
LVL 40

Expert Comment

by:Kyle Abrahams
ID: 40326043
How advanced was the user?

First thing I would check are individual programs that allow remote access to computers (eg: logmein, teamviewer, etc).  

I would check that on any server or laptop that he has access to.  Secondly I would roll any password (service accounts, user accounts, etc) that he has access to.

What was his specific role exactly?  Was he a programmer?  Sys admin? dba?  

I would also document that conversation (or preserve emails) etc, as it could be used in court should anything happen.
0
 
LVL 4

Expert Comment

by:exploitedj
ID: 40326052
Probably wouldn't hurt to get some backups made of, well, everything.

Keep the tapes offline, just in case you need to restore.
0
 
LVL 19

Expert Comment

by:Rob Hutchinson
ID: 40326059
I'm not a security expert, but I'd start with making sure that you changed passwords on all important accounts, as the access he's likely talking about is account based.

Maybe check which user's have VPN access, and check which accounts are also used for services on the servers as he could possibly have modified a service account so that he knows the password, and he's given this account VPN privileges.

If I were to try and create a back door, I'd use a service related account or an obscure user account and make sure that this account had the correct privileges to access the network remotely so you might want to check every account that has elevated privileges which also has remote access.

Like Kyle said too, maybe scan the network for remote access programs as he might have this type of program on several computers.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 40326070
Service accounts are the first place I'd look - My employer from 94 to 04 as of July hadn't removed one of the domain admin level service accounts I had created back then... I'm not trying to do anything with it and I still know people there so I reminded them about it and they went ahead and started investigating.  (Funny thing, I still remember the password).

Audit the members of privilaged groups, such as Domain Admins and Enterprise Admins.  Make sure EVERYONE who is a member of those groups changes their passwords.  (This can be tricky for service accounts, but it's still necessary).  

Finally, HIRE A TEAM TO AUDIT YOUR SECURITY.  SO WHAT, that guy claims he has back doors... fine... but what other flaws do you have... if you're a florist maybe you don't care about security... if you're a bank, a construction company, or anyone else with important files that are business critical, you should be protecting them.  AT A MINIMUM, you should be telling your boss this needs to be done to cover your own behind!
0
 
LVL 4

Expert Comment

by:exploitedj
ID: 40326119
Group privileges and passwords are important. As you will probably hear a bunch of times I too suggest  reviewing and changing them, respectively.

I always think an isolated centralized logging server (not a member of the domain) is a good idea, collecting logins and actions taken by users. This way if things start breaking you can at least figure out the initial point of entry, though, based on what you said there may be more than one.

It might not hurt to just talk to the person to diffuse any tension. I'm not a lawyer, so I don't know if there is a downside to having a nice going away party where you say something like 'I know we might not have said it enough, but we really thought a lot of you.' or some such. You would know if that would make things better/worse.
0
 
LVL 10

Expert Comment

by:tmoore1962
ID: 40326163
Double check your users in AD make sure he didn't add any additional users that you may not be aware of.  What remote access policies if any do you have, hopefully they are not global but specific. Any outside RDP should be using a VPN client first.
0
 
LVL 12

Author Comment

by:atrevido
ID: 40326222
any tools for scanning for remote access programs on servers?
0
 
LVL 4

Expert Comment

by:exploitedj
ID: 40326393
There are lots of ways to allow for remote access. You can have a web server that executes remote commands, you can have a script that phones home from cron.d, you can have gotomypc installed, you can allow remote desktop, you can have a service listening on some random high port with command access, etc.. ad infinitum.

Also, not mentioned yet, but also check for local users.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 9

Assisted Solution

by:nattygreg
nattygreg earned 200 total points
ID: 40326615
OK  if he didn't have access to the firewall which is the gatekeeper, I wouldn't be too worried. Amids that still do the precautions mention above. On the other hand I would force a password change for everyone through AD and log the last 30 known PW so that users are force to make new passwords without recycling the old ones.
Permanently remove his account and look for any rouge or suspicious username and PW.

Let your team know it can be documented and have everyone keep an eye out for suspicious activity, now unless he has a lodge a Trojan on the network to call home, then you'll notice unusual excessive resource being used.
0
 
LVL 40

Expert Comment

by:Kyle Abrahams
ID: 40326763
@natty - as others have explained if he left a program on the server which makes outbound calls your firewall isn't going to protect you from anything.

I would be extremely worried if he mentions that he left backdoors.


@atrevido -  Can you please inform us what role this user had.  If he's a programmer there are special considerations to be taken into account.  Letting us know what his responsibilities and skillsets were will help us inform you better.
0
 
LVL 12

Author Comment

by:atrevido
ID: 40326840
he was a junior administrator who had access to some service accounts, GPO, AD and unfortunately one of those service accounts had domain admin rights, its a monitoring software account that someone higher up than me foolishly handed out.  So, I'll change that password for sure but that basically means that he could have possibly logged on to any server on the domain.  I have 500 users and about 200 servers or so.  i have the password list given to him 6 months ago which I will go ahead and change everyone of them.  I'm also trying to figure out powershell so I can get a list of every single account within our domina with its group membership so I can find anomalies.  He was not a programmer although he is a single guy with too much time on his hands....  No offense to single guys in general
0
 
LVL 40

Assisted Solution

by:Kyle Abrahams
Kyle Abrahams earned 100 total points
ID: 40326871
That's good . . . at least you'll avoid going through major code reviews :-).

At this point I would look for your permission anomalies
Roll all accounts he had access to
Look for any new accounts created since you gave him the domain account
Look for any 3rd party software that enables remote access
Services will take longer to go through but it's not a bad idea to be completely sure.

And also you need to worry about port forwarding.
EG:  If the firewall rule on the firewall says allow 21 (ftp) and then he forwards 21 to 3389 on the server he could get at remote desktop.  

Conversely if he changes the listening port for RDP to a different port that could also be an issue.
0
 
LVL 4

Expert Comment

by:exploitedj
ID: 40326910
How long did he work there? You can also check for accounts created in that time frame, as a starting point.
0
 
LVL 61

Expert Comment

by:btan
ID: 40327258
backdoor is only good if that insider can access either remotely or when there is physical access, probably there is those machine he has access some strange process and listening network ports in the background. Normally Remote Access Tools or remote services are required to for "easier" reach in event of no physical "touch" to system and asset. Good to disable or segment it out to only the authorised personnel.

Likewise all account esp shared and testing account should be removed esp those the insider would have leverage and escalate rights to perform system or power user tasks, even to include scheduled tasks that is not known. May be good to know the trails or audit log created - assuming that is diligently archive and captured on critical server. There may also be some dump server and file archive that is holding unknown huge files (encrypted with password) - that can be anomaly if the storage size surge in the following days or mothly before and after the insider existence etc...

I am wondering if there can be cases where he implanted some dongle or USB hardware in the mouse/keyboard in the data center as well especially those even in wireless interface and power line based that has IP addresses assigned. There are h/w such as Pwnplug https://www.pwnieexpress.com/product-overview/ that can remote sensor capability...

just some thoughts
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 200 total points
ID: 40329173
If it were me, even when I was pretty green, I'd do the following on a windows machine:
Scheduled task that uses a reverse tunnel. VNC was good at this a long time ago, you could set your VNC to contact a IP on the internet, outside your firewall, and then the IP on the internet took over your computer. There are many of these. You can even do this in google chrome, it's called Chromoating http://www.androidpolice.com/2014/04/16/google-releases-chromoting-app-for-accessing-computers-remotely-from-android-devices/ You open chrome up, install the remote chrome app, a Token is generated, you share that token with someone, and they put it in their browser running the same app, and they take over. You do have to report the token in that case, but that's easy.
Logmein is another service you can have running, and there are 400 other such services. Those are desktop app's, like RDP is, which again, can call remote assistance (via a task that runs as SYSTEM or ,use CLI tunneling, where you get access via a remote shell. You can use meterpreter for that, or thousands of other remote applications.
The possibilities are endless. You need to monitor Egress, that's the traffic leaving your network. Everyone locks down Ingress, no one locks down Egress. Only allow your DNS servers to access the internet to port 53, only allow your mail servers the ability send to destination ports 110, 25 etc... Deny all ports for IP ranges that belong to your PC's to the internet except 80 and 443. If you know a user needs to get to port 21 or some such, see if you can just allow him/her to do that.
Then you need to audit your processes being executed. You have to log process creation to the event logs and then review them for suspecious exe's.
You should also involve your HR and or Legal department, the veiled threat is a serious matter, and they can strike more fear into that person than you can, it should be them that makes initial contact.
-rich
0
 
LVL 61

Expert Comment

by:btan
ID: 40329391
This article may interest you on finding backdoor and detecting indicator if compromise and anomaly.
http://www.windowsecurity.com/articles-tutorials/windows_os_security/Hidden_Backdoors_Trojan_Horses_and_Rootkit_Tools_in_a_Windows_Environment.html
Another good practice is to look routinely at any modification of programs to discover new, odd services or processes. Administration scripts are very useful tools in this regard, particularly when dealing with multiple systems. One might also wish to consider host scanning on your network from time to time. If you suspect that there is an open port at your computer, give a snapshot to check whether it is authorized or no. You may use network, application diagnosis and troubleshooting programs such as TCPview (Fig. 5) [12], FPort [13], Inzider [14], Active Ports (Fig. 6) [15], or Vision [16].
0
 
LVL 12

Author Closing Comment

by:atrevido
ID: 40355130
Thanks for all of your feedback and support.  I've had all the departments that he interacted with chagne their log in passwords.  We've done an AD Walk to see if any odd accounts stood out.  Found some old crap that we cleaned up and found two accounts called Zero and ZeroPhader which are our suspects.  They were disabled.  Obvioulsy the VPN is being monitored and we're looking at a IPS.  However, at some point the horse is just out of the barn.....right
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
OfficeMate Freezes on login or does not load after login credentials are input.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now