Windows 2003 Security Audit: Need help blocking and tracking consistent hacker

25 pts.
Tags:
Microsoft Windows Server 2003
SBS
Small Business Server
Small Business Server 2003
Windows Security
Windows Server Security
I've recently taking over as Admin working part-time for a non-profit organization in addition to my full-time job. I quickly discovered that their previous IT had been stealing from them for several years and now it appears that he has been hacking into the system.

It's been rough keeping him out, since I'm still learning the setup (most of which was done very badly) and he already knows where he left all the holes. This is my first experience with fighting a hacker with this level of knowledge about the system and I'm having a hard time confirming whether or not he's locked out.

Going through the security logs today, I noticed a bunch of entries like this (obviously, I've "removed" the server and domain names and put <> place holders):



Successful Network Logon:

User Name: <server name>$

Domain: <domain name>

Logon ID: (0x2,0x5ECB50C2)

Logon Type: 3

Logon Process: Kerberos

Authentication Package: Kerberos

Workstation Name:

Logon GUID: {ec3ad611-e485-67cc-9b5b-9d607cacd59e}

Caller User Name: -

Caller Domain: -

Caller Logon ID: -

Caller Process ID: -

Transited Services: -

Source Network Address: 192.168.2.222

Source Port: 2905



I was uncertain why it shows the username as "[servername][/servername]$". Also, the "3" indicates a remote login, but the source IP listed is the server's internal IP address and the port number never seems to be the same twice.  Is this normal? There are *hundreds* of these, occuring many times per minute going back several weeks. I've also noticed these popping up within the last few days (last plugged a hole to lock him out 4 days ago):



Logon Failure:

Reason: Unknown user name or bad password

User Name: *

Domain:

Logon Type: 3

Logon Process: Advapi

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Workstation Name: <server name>

Caller User Name: <server name>$

Caller Domain: <domain name>

Caller Logon ID: (0x0,0x3E7)

Caller Process ID: 2292

Transited Services: -

Source Network Address: -

Source Port: -





Logon Failure:

Reason: Unknown user name or bad password

User Name: apple

Domain:

Logon Type: 3

Logon Process: Advapi

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Workstation Name: <server name>

Caller User Name: <server name>$

Caller Domain: <domain name>

Caller Logon ID: (0x0,0x3E7)

Caller Process ID: 2292

Transited Services: -

Source Network Address: -

Source Port: -

 



  Logon Failure:

Reason: Unknown user name or bad password

User Name: stupid

Domain:

Logon Type: 3

Logon Process: Advapi

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Workstation Name: <server name>

Caller User Name: <server name>$

Caller Domain: <domain name>

Caller Logon ID: (0x0,0x3E7)

Caller Process ID: 2292

Transited Services: -

Source Network Address: -

Source Port: -

 



There are about 50 of these over the past three days, each one with a different attempted username.  These mostly concern me, since it shows the workstation as being the server itself. This machine does run IIS, but does not have any external websites running on it besides the Exchange Web interface.

Anyone who could provide any help on this, it would be greatly appreciated, since I am just doing this part-time as a courtesy to a non-profit who does great work. I don't want to abandon them, but I also need to start getting more than 3 hours sleep a night :)

Thanks.

Answer Wiki

Thanks. We'll let you know when a new response is added.

You would need to do a few things first as a protection and then 2nd is the remediation.

Phase 1)
Download the following tools which may help to clean your environment (free and trials)
a) Active Ports
b) GFI Languard
c) ADAudit Plus

Install Active Ports on the server in question.
Install GFI Languard and ADAudit Plus on a laptop that you would use

Phase 2)
1) Schedule a maintenance window (any time after business hours)
2) On the firewall disable (NOT DELETE) all rules

Phase 3)
Run Active Ports to see what ports are listening and it will show the application associated. This will give you an idea if the program is a legit program at all. If not, remove it.

From laptop, run GFI Languard not just on your server but the rest of your environment. It may show you some security holes. Run ADAudit Plus against your domain controller which will help see a audit trail and gives you “eyes” on who has “DOMAIN ADMIN” rights that shouldn’t. Besides “administrator” and a 2nd account for you (admin.yourfirstname.yourlastname), no one else should. I would disable accounts that have not been used in let’s say 30 days. Obtain a list of all active employees/volunteers to match against AD. The ones that dont’ match, disable for now. You can delete them later.

Change password to administrator (as long as you have another domain admin account available as a backup and for your use only) You should rarely use the “administrator” account.

On the firewall, review the logs to see if you see any “active” connections outbound that normally should not be “active”. You may find an old pc in a dark closet with the freeware version of “logmein” which may be used to get inside the network as well.

Once you do the above steps, you should get a better picture of your environment.

Once you are done with the above, you can re-enable the firewall rules.

Good Luck!

————————————————
Thanks, Aguacer0.

The Administrator account is completely disabled. That was one of the first things I did after the first time I found him in the system. I changed the password first, then disabled the account. I have also already gone through and disabled all users who haven’t logged on in a while.

I’m glad you mentioned LogMeIn, since I had not considered this. There are two ladies (the CFO and Office Manager) who use LogMeIn to access their PC’s from home. Odds are, the old IT guy helped them setup these accounts and has the passwords, so I’ll definitely check into that. I’ll also follow the rest of your instructions later tonight and let you know what I find.

I appreciate the detailed answer. I’m actually meeting with a police officer and the DA tomorrow to answer some questions, as the CEO of the company has filed charges against him. I forgot to mention in my original post, be we now know that he has managed to gain physical access to the office by slipping in behind the cleaning crew at night, so part of my concern is that he has installed something on one of the machines to try and get in from inside the network.

I’ll let you know how it turns out. Thanks.

Discuss This Question: 3  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Labnuke99
    Check also for any scheduled tasks on this system. There could be some scheduled jobs that run under some authority that you have not found yet. Scan the system too for rootkits that the previous admin may have installed to hide his tools from sight. You can use the Sysinternals RootkitRevealer tool for this. It is also possible that the previous admin just renamed the actual Administrator account to something that appears innocuous and is using that account for his nefarious purposes. You may also see remote logon attempts when a user accesses a server elsewhere but the AD authentication has to go to a remote DC when the local one is not available. Note that source ports are typically non-static. Most applications will use a source port between 1024-65535. So, it is not unusual to see different source ports during a network session.
    32,960 pointsBadges:
    report
  • Labnuke99
    Another rootkit detection tool I came across is McAfee's Rootkit Detective. I have not tested it so have no advice but to proceed with caution.
    32,960 pointsBadges:
    report
  • Donnacrook68
    Hi I have all of this in I'm not on adomain server I have my anti virus messed with I try constantly to stop incomeing cinnections but everything changes back again iv reinstalled vista I have psswords on boot up but it keeps sumhow on reboot only one password on boot instead of 3 and when I checked the system date was on 2007 also my network driver was disabled and mcafee reports I'm connected to ipv6 were it can't be monitored and event viewer reports secondary logon type 2 and more and also I'm shareing printer when I don't have one?? I'm sick and tired off the bas**** now mcafee reports trojan but asnt healed or anything everytime I try to get on net for tools I'm redirected to a shity old fashoined looking web page or server not found I had history in iexplorer when I used to have firefox and any anti virus I download as been changed and blocked. As it came from another pc when I downloaded via cnet or symnatic its a joke a bad 1 at that iv been into this dudes router with the open network I had connected too previously I googled default pword and its admin and admin he had mine an several others on a dhcp client list he's got port mapping an dynamic ip can change it to wat he wants most I could do was out a pssword on his router to see his reaction and he locked it for a week and unlocked it again even tho I haven't connected to his default network since I reinstall vista he's still got control and what's the network projector all about and sending packets 300 per second I'm tareing mi hair out if I cud get my hands on the cu*** I'd throttle I'm can u please help me out pretty please I'm just a home user. With no I.t skills and I'm lost how to stop all this ((crying here)))
    15 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following