Finding a Hacker
- From: "scott" <sbailey@xxxxxxxxxxxxxxx>
- Date: Sat, 19 May 2007 12:49:44 -0500
One of my clients has a Win 2003 standard PDC with about 10 winXP clients.
I've had AD setup and been running fine for years. Last week, I was sitting
at one of the XP clients on the domain and suddenly I got logged off and a
user "userHacker" logged back in. I had to hit ctrl-alt-delete and logged
myself back in.
After about 60 seconds, it happened again. So I cut off access to the net
and looked at the pc's user profiles and noticed their was a local account
for "userHacker". I deleted the profile and left the pc off line.
I should mention that I have Remote Desktop and pcAnywhere ports open in the
firewall for this XP machine.
1. Is there a log within the PDC AD that would show a record of users that
logged into the WinXP machine?
2. How can I determine which port the hacker is coming through?
3. Although I searched AD's Users and Computers applet, I couldn't find a
"userHacker" account. I'm assuming the account was a local account on the XP
machine. Is there anyway for him to have created an "hidden" account?
4. Does "Remote Desktop" keep any type of activity log that would help me?
Any ideas on restricting remote desktop connections by user account or ip
address would be appreciated.
.
- Follow-Ups:
- Re: Finding a Hacker
- From: Anthony
- Re: Finding a Hacker
- From: Herb Martin
- Re: Finding a Hacker
- Prev by Date: Re: User Logon Time / Time Zone
- Next by Date: Re: Forcing mobile users to log into Domain account when in workplace
- Previous by thread: Re: User Logon Time / Time Zone
- Next by thread: Re: Finding a Hacker
- Index(es):
Relevant Pages
|
