dankyle67
asked on
always up software installed by outside user
Hi, just yesterday 2 of our users in west coast office had an icon installed on their desktop for the always up software by core technologies consulting but they didnt install it and then they said a user called welk was logged into their pcs remotely and their webcam was turned on.
I checked active directory users and sure enough the user welk was there and had admin privileges but nobody internally created that user. Is the always up software legitimate and also these users have started using dropbox recently and have been sharing files with china so could that be of any significance as i researched the software it mentioned people use it with dropbox. Thanks
I checked active directory users and sure enough the user welk was there and had admin privileges but nobody internally created that user. Is the always up software legitimate and also these users have started using dropbox recently and have been sharing files with china so could that be of any significance as i researched the software it mentioned people use it with dropbox. Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok i disablled the welk account and uninstalled always up software but if someone was trying to compromise the network then wouldnt they try to do it without alerting the users since the always up software requested for the user to allow it to be run on windows so this is why the users were aware something was not right. Going back to dropbox, would this be possible that the compromise or intrusion access from external source obtained access via dropbox indirectly? Any sugggestions on software or methods to try and prevent these types of security breaches besides firewalls? Also, are there any system logs i should be checking for seeking past few days activity related to this breach?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sounds good especially about application whitelisting.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok will check that out but won't be able to respond till later today thanks so far
ASKER
Hi again, they already uninstalled the always up and will monitor rest of week for any other suspicious activity. Thanks for all the help.
Keep us posted with any new developments.
Always Up auto-starts any app that you configure it to run at boot time. It also restarts it if you kill it or if it crashes. Open it and see how it's configured and which file it runs. I am assuming at this point that your network is compromised and always up runs something that gives them always on access.
The fact that you mentioned China should ring alarm bells