Re: URGENT - Invoke destructive batch files on login

ghost from DOS is completely (TTBOMK) non-intrusive (it is destructive in
that some stuff doesn't get copied) and does not require login.

I agree that calling one of the forensic crowds would be a good idea, also
local law enforcement (if AU don't bother with local police, all computer
crime is handled by the AFP (federal police))(last I knew).

Suggest to whatever agency you contact that you would like them to set up a
conference call to the perpetrator, allow him to fix the behaviour he has
implemented.

OH, and don't 'close remote access', disconnect the server from any and all
external access. Isolate it. This is a case of 'wirecutters is the best
firewall'.

"ALeghart" <aleghart@xxxxxxxxx> wrote in message
news:1158604004.854542.114040@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Using Ghost to copy drive data is not non-destructive. And, it
requires logging on to the console. Both options are probably not safe
in a comprimised computer.

If this incident is as serious as the OP purports, the course of action
should be:
1. data recovery lab
2. lawyer (if experienced)
3. law enforcement

A data recovery lab will have the best methods for taking the server
offline and preserving the data bit by bit, and in a method suitable
for forensic investigation. You shouldn't be futzing with the
equipment. You wouldn't walk up to a bomb and tug on wires or pry open
the detonator. Don't do it with a known comprised machine.

I would suggest calling on Kroll/OnTrack or another company with a
strong background in forensics, recovery, law enforcement chain of
custody protocols. You can talk to a rep and get the ball rolling
quickly.

After you have made proper actions to preserve data and evidence, you
can call the lawyers.

Look at it like this:

1. pull the drowning victim out of the pool first
2. call 911 or 999 for help
3. call your lawyer and/or insurer (underwriter)



Gregg Hill wrote:
Simon,

The first thing to do is to block all remote access to your server. Just
because you cannot log in does not mean that he cannot get into it and
destroy things remotely. Reset your firewall and block all remote access.
Tell your employees not to talk to this guy.

The second thing I would do is contact the local law enforcement
authorities, as his booby trap could be considered a criminal act in some
areas.

The third thing I would do is Ghost the entire server so you have a
backup
of data files.

Then, depending upon the type of server and drives you have, I would
remove
the drives, place them into an XP Pro system and search the drives for
his
booby trap, if in fact it actually exists.

Once you have your full backup via Ghost or other image application, I
recommend a complete re-install of the SBS, since you have no idea if he
left other back doors into your network.

Then prosecute the SOB and his company for cyber crime. Use his email for
proof of his intentions. Sue him into hell.

Gregg Hill



"Simon Gare" <sg@xxxxxxxxxxxxx> wrote in message
news:eCj1Kh02GHA.1256@xxxxxxxxxxxxxxxxxxxxxxx
Hi all,

an ex contractor has changed the login password for our SBS2003 server,
not only that but he has added a batch file to invoke if we try to
reset
the passwords and login as administrator, see note below.

Is this possible and is there anyway around this?

Your urgent assistance is greatly appreciated.


Regards
Simon Gare


Nicholas Jaffe wrote

" you want your application back. Don't ask Pipex to recover the
passwords, logging in as Adminstrator will invoke the startup batch
files,
which will put you in an even worse position than you are already in.

Nick"







.

Relevant Pages

  • Re: URGENT - Invoke destructive batch files on login
    ... Booting from a Ghost floppy is safe and requires no login to the console. ... A data recovery lab will have the best methods for taking the server ... Gregg Hill wrote: ... The first thing to do is to block all remote access to your server. ...
    (microsoft.public.windows.server.sbs)
  • Re: URGENT - Invoke destructive batch files on login
    ... The ghost image is not complete. ... A data recovery lab will have the best methods for taking the server ... strong background in forensics, recovery, law enforcement chain of ... The first thing to do is to block all remote access to your server. ...
    (microsoft.public.windows.server.sbs)
  • Re: URGENT - Invoke destructive batch files on login
    ... Using Ghost to copy drive data is not non-destructive. ... A data recovery lab will have the best methods for taking the server ... The first thing to do is to block all remote access to your server. ... Then, depending upon the type of server and drives you have, I would remove ...
    (microsoft.public.windows.server.sbs)
  • dos boot disk for ghost use with windows 2K & 2K3 server
    ... my dos boot disk for use with GHOST no longer works. ... I am trying to connect to a Windows 2003 and 2000 server both are domain ... signing the login. ...
    (microsoft.public.windows.server.networking)
  • gdm hangs
    ... gdm will hang 9 of 10 times when logging out. ... with or without the client having been connected to the Server. ... # Timed login, useful for kiosks. ... Must output the chosen host on stdout, ...
    (Debian-User)
Quantcast