Re: Internal Hacker

From: Karl Levinson [x y] \(MVP\) (levinson_k@excite.com)
Date: 10/16/02 

From: "Karl Levinson [x y] \(MVP\)" <levinson_k@excite.com>
Date: Wed, 16 Oct 2002 16:28:03 -0400

With the logs deleted, I can't think of too many good ways to track down
this user. You could check the local hard drives, local temporary folders
and local event logs on some of the workstations to see if this person left
any clues behind.

If this person was foolish, he or she may have downloaded some of the
hacking tools from the internet at work, or the tools may still be on his or
her hard drive. There are a number of tools that can delete windows event
log files and crack SAM / Lan Manager style password hashes. You might
search the hard drives across the network, or if you have a proxy server,
see if anyone visited any hacker sites or file names. Using a trojan
scanner such as www.pestpatrol.com installed on one or two computers might
help detect a variety of cracking tools on hard drives by scanning across
the network. Installing a network-based NIDS such as Snort might detect
some suspicious activity.

Since you believe the permissions are set correctly and securely on the
folder, my guess is that this person may have cracked the password on an
administrator-equivalent account that has permission to that folder, in
which case the logs still wouldn't tell you who was using that account. One
way to crack LM hashes is to collect them using a sniffer, and there are a
variety of scanning tools out there that can help detect a computer where
the network card is currently in promiscuous mode.

You might also inspect some of the file and network permissions to see if
this person added any permissions for his or her account, and look for new
accounts to see if the user returns to re-use that account.

It's hard to protect yourself against someone who has administrator
privileges, so you also probably want to change the passwords on all such
accounts, change the LM compatibility setting to avoid sending LM hashes
across the network, install all patches, secure your systems per the
checklists at www.microsoft.com/security, use antivirus and trojan scanners,
etc.

Consider sending your windows event logs to a secure computer running a
syslog client. I think one program that will let you do this is called
NTSYSLOG. This might help prevent your logs from being deleted again, as
long as you can keep that computer secure, don't connect it to the domain,
keep it locked up and keep its existence a secret.

The date and name information you have may or may not be reliable, depending
on how the file was put there. I think the date and the name themselves may
be useful in determining whether the information is reliable, e.g. by
asking, "could this person possibly have done the intrusion and on this
date?"

I'm afraid many of these things will only help if the person does something
like this again, but hopefully knowing one possible scenario how it may have
happened [sniff LM hashes, log in as an administrator equivalent, use a tool
to delete the log files, etc.] will be of some help in finding the person
and/or to increase your security.

"Dan" <hecar50@hotmail.com> wrote in message
news:467901c2754b$c3320f30$36ef2ecf@tkmsftngxa12...
> I had a situation & am looking for help.
>
> An employee at my site got into a secure user directory
> and posted sensitive information on a public drive on our
> network. They also printed a copy & placed it on a
> manger's desk.
>
> We are currently on NT 4.0 Server. The application log &
> system log have a week of entries deleted(the week of the
> incident) and the security log was deleted entirely.
>
> These were Excel spreadsheets that were comprimised. I
> found one still on the network & know the date, time &
> name of user to last save it.
>
> Several questions? Does the name in the properties of the
> excel file just tell the login that was used?
>
> We do not have a print server setup, so I can't check that
> either.
>
> Looking for suggestions to try to trace what user did this.
> Any idea's and/or suggestions would be greatly appreciated.
>
>