Re: Possible Intruder - Help urgently needed

From: Daniel Billingsley (dbillingsley@NO.durcon.SPAAMM.com)
Date: 02/20/03 

From: "Daniel Billingsley" <dbillingsley@NO.durcon.SPAAMM.com>
Date: Thu, 20 Feb 2003 12:28:26 -0500

Uh... I think I'd start with unplugging the internet connection. Seriously,
if you are that kind of a breech you need to take drastic action immediately
IMO.

Then I'd probably change the administrator password to something strong.

THEN, you can start worrying about the who and where. Maybe get some audit
policies going to track when and where they're attaching, if you haven't
stopped them with the above steps. That is, unless you want to leave your
entire network as a honey pot in attempts at catching them.

"Emdee" <mikeDONTSPAM@webheat.co.uk> wrote in message
news:3e550c96$0$14787$afc38c87@news.easynet.co.uk...
> I believe I may have an intruder in my network on 7 Win2K machines (2 of
> which are DCs).
>
> I believe the intruder is doing the following:
> -Modifying the accounts of Administrator and Guest(disabled)
> -Possibly making some Security Policy changes
> -Afterwards clears up by deleting the alters Security Policies from Sysvol
>
> What I need from your guys in some help in working out how they're getting
> in.
> What should I be looking at to find there entry point??
>
> I need this help like yesterday so the quicker the better.
>
> Thanks all
> Mike
>
>