Re: Possible Intruder - Help urgently needed

From: x y, mvp (levinson_k@despammed.com)
Date: 02/21/03 

From: "x y, mvp" <levinson_k@despammed.com>
Date: Fri, 21 Feb 2003 08:40:59 -0500

I'm not sure MBSA is enough to help here. I would try this:

http://securityadmin.info/faq.htm#hacked

... followed by these:

http://securityadmin.info/faq.htm#re-secure
http://securityadmin.info/faq.htm#harden

Hacking does not always necessarily result in something malicious or
immediately noticable being done to your computer. Most successful hackers
and viruses naturally want to evade detection, at least until they are done
doing whatever it is they wanted to do, because being detected is bad and
tends to cut off future access to that device.

"Emdee" <mikeDONTSPAM@webheat.co.uk> wrote in message
news:3e550c96$0$14787$afc38c87@news.easynet.co.uk...
> I believe I may have an intruder in my network on 7 Win2K machines (2 of
> which are DCs).
>
> I believe the intruder is doing the following:
> -Modifying the accounts of Administrator and Guest(disabled)
> -Possibly making some Security Policy changes
> -Afterwards clears up by deleting the alters Security Policies from Sysvol
>
> What I need from your guys in some help in working out how they're getting
> in.
> What should I be looking at to find there entry point??
>
> I need this help like yesterday so the quicker the better.
>
> Thanks all
> Mike
>
>