Re: Finding a Hacker
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Sat, 19 May 2007 13:40:06 -0500
"scott" <sbailey@xxxxxxxxxxxxxxx> wrote in message
news:Oir593jmHHA.1624@xxxxxxxxxxxxxxxxxxxxxxx
One of my clients has a Win 2003 standard PDC with about 10 winXP clients.
I've had AD setup and been running fine for years. Last week, I was
sitting at one of the XP clients on the domain and suddenly I got logged
off and a user "userHacker" logged back in. I had to hit ctrl-alt-delete
and logged myself back in.
After about 60 seconds, it happened again. So I cut off access to the net
and looked at the pc's user profiles and noticed their was a local account
for "userHacker". I deleted the profile and left the pc off line.
Something CREATED this account so likely the hacker has some
administrator password also -- either on the domain or the local machine.
I should mention that I have Remote Desktop and pcAnywhere ports open in
the firewall for this XP machine.
Likely he is using Remote Desktop since that is the one that forces you
off when he logs on remotely.
Why is psAnywhere on this machine if you have Remote Desktop enabled?
1. Is there a log within the PDC AD that would show a record of users that
logged into the WinXP machine?
You can use Logon Auditing locally or "Account Logon" auditing for domain
authentications.
2. How can I determine which port the hacker is coming through?
Likely RDP 3389 and may be others for the initial attack.
You could monitor the machine with NetMon (or the Free WireShark) but
unless you are comfortable with sniffers you might not be able to separate
legitimate access form unauthorized access.
3. Although I searched AD's Users and Computers applet, I couldn't find a
"userHacker" account. I'm assuming the account was a local account on the
XP machine. Is there anyway for him to have created an "hidden" account?
That is where you deleted the account right? Hidden accounts are slightly
possible;
they won't be invisible but they may be in odd places on the domain.
And he is being NICE calling it "userHacker" instead of FJones or FredJ or
something
innocuous.
4. Does "Remote Desktop" keep any type of activity log that would help me?
I believe there is a log but you have to enable it -- not sure but most
things
in Windows have a log.
Any ideas on restricting remote desktop connections by user account or ip
address would be appreciated.
They already are so restricted -- must be a member of the Remote Users
group which can be set on the Remote Tab of System Control Panel or
in the Computer Manager.
Only Admins are in there by default.
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
.
- Follow-Ups:
- Re: Finding a Hacker
- From: scott
- Re: Finding a Hacker
- References:
- Finding a Hacker
- From: scott
- Finding a Hacker
- Prev by Date: LASASS error 0xc00002e1 and DSRM password
- Next by Date: Re: Finding a Hacker
- Previous by thread: Finding a Hacker
- Next by thread: Re: Finding a Hacker
- Index(es):
Relevant Pages
|
