IT employee leaving - made statement that he has back doors

Someone on our IT team is leaving on his own accord.  About a month ago before he gave notice he made a comment to me in passing that no one would find the various back doors he had hidden on the network.  Short of hiring a network security consultant to completely test our network are there any programs or tips from you guys on how to see if its real or not?
We have ASA firewalls in our datacenters of which he never had access to.  he does have access to 2003, 2008 and 2012 servers
LVL 12
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kyle AbrahamsSenior .Net DeveloperCommented:
How advanced was the user?

First thing I would check are individual programs that allow remote access to computers (eg: logmein, teamviewer, etc).  

I would check that on any server or laptop that he has access to.  Secondly I would roll any password (service accounts, user accounts, etc) that he has access to.

What was his specific role exactly?  Was he a programmer?  Sys admin? dba?  

I would also document that conversation (or preserve emails) etc, as it could be used in court should anything happen.
Probably wouldn't hurt to get some backups made of, well, everything.

Keep the tapes offline, just in case you need to restore.
Rob HutchinsonDesktop SupportCommented:
I'm not a security expert, but I'd start with making sure that you changed passwords on all important accounts, as the access he's likely talking about is account based.

Maybe check which user's have VPN access, and check which accounts are also used for services on the servers as he could possibly have modified a service account so that he knows the password, and he's given this account VPN privileges.

If I were to try and create a back door, I'd use a service related account or an obscure user account and make sure that this account had the correct privileges to access the network remotely so you might want to check every account that has elevated privileges which also has remote access.

Like Kyle said too, maybe scan the network for remote access programs as he might have this type of program on several computers.
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

Lee W, MVPTechnology and Business Process AdvisorCommented:
Service accounts are the first place I'd look - My employer from 94 to 04 as of July hadn't removed one of the domain admin level service accounts I had created back then... I'm not trying to do anything with it and I still know people there so I reminded them about it and they went ahead and started investigating.  (Funny thing, I still remember the password).

Audit the members of privilaged groups, such as Domain Admins and Enterprise Admins.  Make sure EVERYONE who is a member of those groups changes their passwords.  (This can be tricky for service accounts, but it's still necessary).  

Finally, HIRE A TEAM TO AUDIT YOUR SECURITY.  SO WHAT, that guy claims he has back doors... fine... but what other flaws do you have... if you're a florist maybe you don't care about security... if you're a bank, a construction company, or anyone else with important files that are business critical, you should be protecting them.  AT A MINIMUM, you should be telling your boss this needs to be done to cover your own behind!
Group privileges and passwords are important. As you will probably hear a bunch of times I too suggest  reviewing and changing them, respectively.

I always think an isolated centralized logging server (not a member of the domain) is a good idea, collecting logins and actions taken by users. This way if things start breaking you can at least figure out the initial point of entry, though, based on what you said there may be more than one.

It might not hurt to just talk to the person to diffuse any tension. I'm not a lawyer, so I don't know if there is a downside to having a nice going away party where you say something like 'I know we might not have said it enough, but we really thought a lot of you.' or some such. You would know if that would make things better/worse.
Double check your users in AD make sure he didn't add any additional users that you may not be aware of.  What remote access policies if any do you have, hopefully they are not global but specific. Any outside RDP should be using a VPN client first.
atrevidoAuthor Commented:
any tools for scanning for remote access programs on servers?
There are lots of ways to allow for remote access. You can have a web server that executes remote commands, you can have a script that phones home from cron.d, you can have gotomypc installed, you can allow remote desktop, you can have a service listening on some random high port with command access, etc.. ad infinitum.

Also, not mentioned yet, but also check for local users.
Natty GregIn Theory (IT)Commented:
OK  if he didn't have access to the firewall which is the gatekeeper, I wouldn't be too worried. Amids that still do the precautions mention above. On the other hand I would force a password change for everyone through AD and log the last 30 known PW so that users are force to make new passwords without recycling the old ones.
Permanently remove his account and look for any rouge or suspicious username and PW.

Let your team know it can be documented and have everyone keep an eye out for suspicious activity, now unless he has a lodge a Trojan on the network to call home, then you'll notice unusual excessive resource being used.
Kyle AbrahamsSenior .Net DeveloperCommented:
@natty - as others have explained if he left a program on the server which makes outbound calls your firewall isn't going to protect you from anything.

I would be extremely worried if he mentions that he left backdoors.

@atrevido -  Can you please inform us what role this user had.  If he's a programmer there are special considerations to be taken into account.  Letting us know what his responsibilities and skillsets were will help us inform you better.
atrevidoAuthor Commented:
he was a junior administrator who had access to some service accounts, GPO, AD and unfortunately one of those service accounts had domain admin rights, its a monitoring software account that someone higher up than me foolishly handed out.  So, I'll change that password for sure but that basically means that he could have possibly logged on to any server on the domain.  I have 500 users and about 200 servers or so.  i have the password list given to him 6 months ago which I will go ahead and change everyone of them.  I'm also trying to figure out powershell so I can get a list of every single account within our domina with its group membership so I can find anomalies.  He was not a programmer although he is a single guy with too much time on his hands....  No offense to single guys in general
Kyle AbrahamsSenior .Net DeveloperCommented:
That's good . . . at least you'll avoid going through major code reviews :-).

At this point I would look for your permission anomalies
Roll all accounts he had access to
Look for any new accounts created since you gave him the domain account
Look for any 3rd party software that enables remote access
Services will take longer to go through but it's not a bad idea to be completely sure.

And also you need to worry about port forwarding.
EG:  If the firewall rule on the firewall says allow 21 (ftp) and then he forwards 21 to 3389 on the server he could get at remote desktop.  

Conversely if he changes the listening port for RDP to a different port that could also be an issue.
How long did he work there? You can also check for accounts created in that time frame, as a starting point.
btanExec ConsultantCommented:
backdoor is only good if that insider can access either remotely or when there is physical access, probably there is those machine he has access some strange process and listening network ports in the background. Normally Remote Access Tools or remote services are required to for "easier" reach in event of no physical "touch" to system and asset. Good to disable or segment it out to only the authorised personnel.

Likewise all account esp shared and testing account should be removed esp those the insider would have leverage and escalate rights to perform system or power user tasks, even to include scheduled tasks that is not known. May be good to know the trails or audit log created - assuming that is diligently archive and captured on critical server. There may also be some dump server and file archive that is holding unknown huge files (encrypted with password) - that can be anomaly if the storage size surge in the following days or mothly before and after the insider existence etc...

I am wondering if there can be cases where he implanted some dongle or USB hardware in the mouse/keyboard in the data center as well especially those even in wireless interface and power line based that has IP addresses assigned. There are h/w such as Pwnplug that can remote sensor capability...

just some thoughts
Rich RumbleSecurity SamuraiCommented:
If it were me, even when I was pretty green, I'd do the following on a windows machine:
Scheduled task that uses a reverse tunnel. VNC was good at this a long time ago, you could set your VNC to contact a IP on the internet, outside your firewall, and then the IP on the internet took over your computer. There are many of these. You can even do this in google chrome, it's called Chromoating You open chrome up, install the remote chrome app, a Token is generated, you share that token with someone, and they put it in their browser running the same app, and they take over. You do have to report the token in that case, but that's easy.
Logmein is another service you can have running, and there are 400 other such services. Those are desktop app's, like RDP is, which again, can call remote assistance (via a task that runs as SYSTEM or ,use CLI tunneling, where you get access via a remote shell. You can use meterpreter for that, or thousands of other remote applications.
The possibilities are endless. You need to monitor Egress, that's the traffic leaving your network. Everyone locks down Ingress, no one locks down Egress. Only allow your DNS servers to access the internet to port 53, only allow your mail servers the ability send to destination ports 110, 25 etc... Deny all ports for IP ranges that belong to your PC's to the internet except 80 and 443. If you know a user needs to get to port 21 or some such, see if you can just allow him/her to do that.
Then you need to audit your processes being executed. You have to log process creation to the event logs and then review them for suspecious exe's.
You should also involve your HR and or Legal department, the veiled threat is a serious matter, and they can strike more fear into that person than you can, it should be them that makes initial contact.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
This article may interest you on finding backdoor and detecting indicator if compromise and anomaly.
Another good practice is to look routinely at any modification of programs to discover new, odd services or processes. Administration scripts are very useful tools in this regard, particularly when dealing with multiple systems. One might also wish to consider host scanning on your network from time to time. If you suspect that there is an open port at your computer, give a snapshot to check whether it is authorized or no. You may use network, application diagnosis and troubleshooting programs such as TCPview (Fig. 5) [12], FPort [13], Inzider [14], Active Ports (Fig. 6) [15], or Vision [16].
atrevidoAuthor Commented:
Thanks for all of your feedback and support.  I've had all the departments that he interacted with chagne their log in passwords.  We've done an AD Walk to see if any odd accounts stood out.  Found some old crap that we cleaned up and found two accounts called Zero and ZeroPhader which are our suspects.  They were disabled.  Obvioulsy the VPN is being monitored and we're looking at a IPS.  However, at some point the horse is just out of the barn.....right
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.