Re: Possible hack?
From: John (email_at_email.com)
Date: 01/29/05
- Next message: HomeNetwork: "Missing "Remember my password" checkbox"
- Previous message: lee hawkins: "Re: Accessing the Internet under with admin. rights..."
- In reply to: Bigbruva: "Re: Possible hack?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 29 Jan 2005 03:59:44 GMT
"Bigbruva" <Richardh@dontusethis.ws> wrote in
news:OIX#QaZBFHA.2788@TK2MSFTNGP15.phx.gbl:
Okay so this log was not deleted, it looks more like the Event log
service has been stopped (which an Admin can do)
If this service is not running no event logs will be generated so
nothing needs to be deleted. The problem you have is that you have
given this user full admin rights so you will find it very difficult
to track him.
I am not sure what you think he has "hacked" but turning off the event
log service does not constitute "hacking"
If this person has stolen data find it and use that as proof, if they
have installed some kind of rootkit or illegal software on the machine
you may have a case but without these things you will have trouble
proving anything.
You could try simply making this person aware that you have detected
unusual behavior on their computer and have to reformat and rebuild
the system (to remove any possible rootkit programs), this time, not
giving them admin rights (for their own security).
I don't know if this helps (let us know if it does) but other than
this it sounds like you might have an HR situation to deal with which
no one on this newsgroup is going to be able to help you with.
Good luck
BB
I agree with what you say, and if we had given him Domain Admin rights,
I can see how he would be able to stop the logging. He doesn't have
admin rights, only domain user rights. If he did get them, domain/group
policy makes sure logging is on and removes local admins from the admin
group on startup. Since there is no local admin, the only way to do
this is hacking the logs. I looked at the log a week or so ago and it
was intact-NO missing dates. I didn't export it then, since we were
still not sure of what was going on. Something came to light Wed and we
wanted to look at the log a little closer and found this. It is not a
matter of stealing data, but more of illegal use of government funds
and unauthorized personal use of software/hardware. This individual has
already hacked the admin password on another machine and messed it up.
When we found out there was something going on, the drive developed a
problem all of a sudden and had to be reformatted (destroying all
evidence). Any way, management wants to get rid of him, but in a
government job it is kinda hard-unless there is proof of policy
violation-then it is REAL easy!!!!
Thanks again!!!!
John
- Next message: HomeNetwork: "Missing "Remember my password" checkbox"
- Previous message: lee hawkins: "Re: Accessing the Internet under with admin. rights..."
- In reply to: Bigbruva: "Re: Possible hack?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
