Possible hack - Portable profile found in a Windows 2K Pro SP1 station..
From: Jorge Roxo (j.roxo@sotagus.pt)Date: 02/05/02
- Previous message: garberoa@WellsFargo.COM: "RE: TCP/IP Filtering problem on W2KAS"
- Next in thread: Jorge Roxo: "RE: RE: Possible hack - Portable profile found in a Windows 2K Pro SP1 station.."
- Reply: Jorge Roxo: "RE: RE: Possible hack - Portable profile found in a Windows 2K Pro SP1 station.."
- Reply: Pascal Longpre: "RE: RE: Possible hack - Portable profile found in a Windows 2K Pro SP1 station.."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Jorge Roxo" <j.roxo@sotagus.pt> To: "Focus-Ms" <focus-ms@securityfocus.com> Date: Tue, 5 Feb 2002 08:46:57 -0000
We have found that one of our machines, that was used for a PCAnywhere
connection for a determinate person and purpose now contains a portable
user profile. This user profile had also been stored in our domain
servers. After speaking to the person who was allowed to use this
pcanywhere logon ( it was encrypted, had password and user name logon
request and was using all security measures we could think of. Thso
connection was done through a modem to a non-public phone number) he
said that it wasn't his profile. We checked to see and it was not a user
on our systems.
The profile had managed to get itself inserted as local administrator of
the machine in question, but had managed to go no further. We are
concerned because this look like a serious breach of our security. The
PCAnywhere version is the 10.0 with all updates made, and the machine OS
is Windows 2000 Professional ( it has not got messenger or netmeeting
installed,nor irc or icq ) with service pack 1 ( we cannot upgrade to
SP2 due to specific software requirements for that particular machine ).
How could this happen? We thought we had taken every measure possible to
ensure that nothing would get through, unless we would allow it. The
setup of PCAnywhere included the option of disconecting the user after 3
minutes if logon failed which is the best PCAnywhere has to offer in
that sense, and I had set a connection timeout for idle to 30 seconds
delay, so that the conection would timeout if nothing passed through it
for more than 30 seconds, thus closing it and resetting the host to
await next call.
We are extremely concerned for, thought the machine was not an important
one, and did not have any senseitive information we fear the breach of
security may have gone further than we are able to see right now.
What else would we need to check?, I've checked all system logs, event
logs, services logs, security logs and nothing is shown. It couldn't
have been an "inside job" since the machine is in a locked room to which
only the 2 of the IT staff have access ( electronic locks etc... ). We
are otherwise firewalled, but not this one conection...
I realize we left a backdoor open.. And feel pretty stupid about this..
But where else can I track info on what really happened? Any ideas?
Thnx in advance.
Jorge Roxo,
TCSA/Sotagus Computer Systems Administrator
-------------------------------------------
This e-mail is confidential and privileged. If you are not the intended
recipient please accept our apologies. Do not disclose, copy or
distribute information in this e-mail or take any action in reliance to
its contents, to do so is strictly prohibited and may be unlawful.
Please inform us that this message has gone astray before deleting it.
Thank you for your co-operation.
-------------------------------------------
- Previous message: garberoa@WellsFargo.COM: "RE: TCP/IP Filtering problem on W2KAS"
- Next in thread: Jorge Roxo: "RE: RE: Possible hack - Portable profile found in a Windows 2K Pro SP1 station.."
- Reply: Jorge Roxo: "RE: RE: Possible hack - Portable profile found in a Windows 2K Pro SP1 station.."
- Reply: Pascal Longpre: "RE: RE: Possible hack - Portable profile found in a Windows 2K Pro SP1 station.."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
