Re: Finding a Hacker

Scott,
If that PC has been hacked, you will need to rebuild the whole domain. Its
really a question of whether someone is pulling your leg or you have been
truly hacked.
1) If you have set logging for logon success and failure then the the logon
will be in the security log.
2) You can't
3) No. I guess if someone had domain admin rights they may be able to create
an account you couldn't see, but if you thought they may have domain admin
rights you would have to rebuild anyway. Is there a local account on the PC?
4) No.
Your problem is not restricting remote desktop connections. It is what
people are able to do on your domain. Your best case is that users are local
admins of their machines and someone has done this for fun. Your worst case
is that a hacker has found the remote desktop opening and cracked a
password.
Anthony
http://www.airdesk.co.uk




"scott" <sbailey@xxxxxxxxxxxxxxx> wrote in message
news:Oir593jmHHA.1624@xxxxxxxxxxxxxxxxxxxxxxx
One of my clients has a Win 2003 standard PDC with about 10 winXP clients.
I've had AD setup and been running fine for years. Last week, I was
sitting at one of the XP clients on the domain and suddenly I got logged
off and a user "userHacker" logged back in. I had to hit ctrl-alt-delete
and logged myself back in.

After about 60 seconds, it happened again. So I cut off access to the net
and looked at the pc's user profiles and noticed their was a local account
for "userHacker". I deleted the profile and left the pc off line.

I should mention that I have Remote Desktop and pcAnywhere ports open in
the firewall for this XP machine.

1. Is there a log within the PDC AD that would show a record of users that
logged into the WinXP machine?
2. How can I determine which port the hacker is coming through?
3. Although I searched AD's Users and Computers applet, I couldn't find a
"userHacker" account. I'm assuming the account was a local account on the
XP machine. Is there anyway for him to have created an "hidden" account?
4. Does "Remote Desktop" keep any type of activity log that would help me?

Any ideas on restricting remote desktop connections by user account or ip
address would be appreciated.



.

Relevant Pages

  • Re: Finding a Hacker
    ... definitely had the capability to obtain the domain admin credentials and may ... If the hacker did get in remotely using an administrator account on the ... Your problem is not restricting remote desktop connections. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Finding a Hacker
    ... Settings, Security Settings, Local Policies. ... create an account you couldn't see, but if you thought they may have ... Your problem is not restricting remote desktop connections. ... got logged off and a user "userHacker" logged back in. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Finding a Hacker
    ... Settings, Security Settings, Local Policies. ... I guess if someone had domain admin rights they may be able to ... create an account you couldn't see, but if you thought they may have ... Your problem is not restricting remote desktop connections. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Finding a Hacker
    ... Settings, Security Settings, Local Policies. ... local account on the PC? ... Your problem is not restricting remote desktop connections. ... suddenly I got logged off and a user "userHacker" logged back in. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Allowing a Domain User Remote Desktop Access
    ... "System error 1789 has occurred. ... > domain controller and that there is not a problem with the domain computer ... >> can I add a domain user account to a machine's local Remote Desktop Users ...
    (microsoft.public.windows.group_policy)