Re: Finding a Hacker



Something CREATED this account so likely the hacker has some
administrator password also -- either on the domain or the local machine.


I deleted the account "userHacker" from the XP pc and the account was listed
as "myPC\userHacker" instead of "myDomain\userHacker", so I assumed that it
was just a breach of the XP machine, not the server. However, I only
questioned that because from within Symantec Corporate Anti-Virus, the entry
for that XP machine was listed as "myDomain\userHacker", but that might be
just the way Symantec AV lists the computers and the users.


Why is psAnywhere on this machine if you have Remote Desktop enabled?


I have pcAnywhere enabled because I used to use it sometimes and RD other
times. I'm going to shutdown that port and pcAnywhere just to tighten
things.


You can use Logon Auditing locally or "Account Logon" auditing for domain
authentications.


Do you have any good links to info on how to access and use these auditing
features for AD and the local pc?
Any good links to find out how to use NetMon?

Thanks for your input. I have never used some of the features like Admin
Templates, IPSec, etc. but now realize I'm gling to have to learn.

Would IPSec be helpful?




"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:%23YGFgUkmHHA.3760@xxxxxxxxxxxxxxxxxxxxxxx

"scott" <sbailey@xxxxxxxxxxxxxxx> wrote in message
news:Oir593jmHHA.1624@xxxxxxxxxxxxxxxxxxxxxxx
One of my clients has a Win 2003 standard PDC with about 10 winXP
clients. I've had AD setup and been running fine for years. Last week, I
was sitting at one of the XP clients on the domain and suddenly I got
logged off and a user "userHacker" logged back in. I had to hit
ctrl-alt-delete and logged myself back in.

After about 60 seconds, it happened again. So I cut off access to the net
and looked at the pc's user profiles and noticed their was a local
account for "userHacker". I deleted the profile and left the pc off line.



Something CREATED this account so likely the hacker has some
administrator password also -- either on the domain or the local machine.

I should mention that I have Remote Desktop and pcAnywhere ports open in
the firewall for this XP machine.

Likely he is using Remote Desktop since that is the one that forces you
off when he logs on remotely.

Why is psAnywhere on this machine if you have Remote Desktop enabled?

1. Is there a log within the PDC AD that would show a record of users
that logged into the WinXP machine?

You can use Logon Auditing locally or "Account Logon" auditing for domain
authentications.

2. How can I determine which port the hacker is coming through?

Likely RDP 3389 and may be others for the initial attack.

You could monitor the machine with NetMon (or the Free WireShark) but
unless you are comfortable with sniffers you might not be able to separate
legitimate access form unauthorized access.

3. Although I searched AD's Users and Computers applet, I couldn't find a
"userHacker" account. I'm assuming the account was a local account on the
XP machine. Is there anyway for him to have created an "hidden" account?

That is where you deleted the account right? Hidden accounts are slightly
possible;
they won't be invisible but they may be in odd places on the domain.

And he is being NICE calling it "userHacker" instead of FJones or FredJ or
something
innocuous.

4. Does "Remote Desktop" keep any type of activity log that would help
me?

I believe there is a log but you have to enable it -- not sure but most
things
in Windows have a log.

Any ideas on restricting remote desktop connections by user account or ip
address would be appreciated.

They already are so restricted -- must be a member of the Remote Users
group which can be set on the Remote Tab of System Control Panel or
in the Computer Manager.

Only Admins are in there by default.

--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)



.

Relevant Pages

  • Re: Finding a Hacker
    ... Settings, Security Settings, Local Policies. ... create an account you couldn't see, but if you thought they may have ... Your problem is not restricting remote desktop connections. ... got logged off and a user "userHacker" logged back in. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Finding a Hacker
    ... Settings, Security Settings, Local Policies. ... local account on the PC? ... Your problem is not restricting remote desktop connections. ... suddenly I got logged off and a user "userHacker" logged back in. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Finding a Hacker
    ... Settings, Security Settings, Local Policies. ... create an account you couldn't see, but if you thought they may have ... Your problem is not restricting remote desktop connections. ... logged off and a user "userHacker" logged back in. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Finding a Hacker
    ... Something CREATED this account so likely the hacker has some ... Why is psAnywhere on this machine if you have Remote Desktop enabled? ... "userHacker" account. ... I'm assuming the account was a local account on the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Finding a Hacker
    ... definitely had the capability to obtain the domain admin credentials and may ... If the hacker did get in remotely using an administrator account on the ... Your problem is not restricting remote desktop connections. ...
    (microsoft.public.windows.server.active_directory)
Loading