Re: Possible Intruder - Help urgently needed

From: Emdee (mikeDONTSPAM@webheat.co.uk)
Date: 02/20/03 

From: "Emdee" <mikeDONTSPAM@webheat.co.uk>
Date: Thu, 20 Feb 2003 17:41:31 -0000

Well that's the thing, nothing mallicious seems to have been done, hence the
Possible in the subject line.

It's possibly happened before, the only destructive thing is the policies
being deleted.

Other that that all seems well.

"Daniel Billingsley" <dbillingsley@NO.durcon.SPAAMM.com> wrote in message
news:ORSa7VQ2CHA.2188@TK2MSFTNGP09.phx.gbl...
> Uh... I think I'd start with unplugging the internet connection.
Seriously,
> if you are that kind of a breech you need to take drastic action
immediately
> IMO.
>
> Then I'd probably change the administrator password to something strong.
>
> THEN, you can start worrying about the who and where. Maybe get some
audit
> policies going to track when and where they're attaching, if you haven't
> stopped them with the above steps. That is, unless you want to leave your
> entire network as a honey pot in attempts at catching them.
>
> "Emdee" <mikeDONTSPAM@webheat.co.uk> wrote in message
> news:3e550c96$0$14787$afc38c87@news.easynet.co.uk...
> > I believe I may have an intruder in my network on 7 Win2K machines (2 of
> > which are DCs).
> >
> > I believe the intruder is doing the following:
> > -Modifying the accounts of Administrator and Guest(disabled)
> > -Possibly making some Security Policy changes
> > -Afterwards clears up by deleting the alters Security Policies from
Sysvol
> >
> > What I need from your guys in some help in working out how they're
getting
> > in.
> > What should I be looking at to find there entry point??
> >
> > I need this help like yesterday so the quicker the better.
> >
> > Thanks all
> > Mike
> >
> >
>
>

Relevant Pages

  • Re: Possible Intruder - Help urgently needed
    ... the audit policies seem like a given at minimum so you'll have some ... With such a small network I think the intrusion would leave quite an obvious ... >> Then I'd probably change the administrator password to something strong. ...
    (microsoft.public.win2000.security)
  • Need a point of start...
    ... like changing the administrator password, configuring some system ... policies... ... Prev by Date: ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Possible Intruder - Help urgently needed
    ... if you are that kind of a breech you need to take drastic action immediately ... Then I'd probably change the administrator password to something strong. ... > -Possibly making some Security Policy changes ... > -Afterwards clears up by deleting the alters Security Policies from Sysvol ...
    (microsoft.public.win2000.security)
  • Where this Audit Polciy comming from?
    ... Audit Policies on my domain. ... Domain Controllers Security Policies - Not define to all Audit Events ... Domain Security Policy - Not define to all Audit Events ...
    (microsoft.public.win2000.security)
  • Checking - will this Windows audit-tool be useful?
    ... I'm working on a Windows audit tool. ... I do a lot of Windows / Active Directory audits. ... policies, computer OS-versions, account settings, etc. ...
    (Pen-Test)