Help! I have an internal hacker! Looking for tools/utilities 1

[zaresa]

I have a person on staff that is deleting DNS servers, user files and generally tweaking with anything that can make me and the other admin look bad. We've begged our boss to fire this guy but unfortunately all of the evidence is circumstantial. It also doesn't help that my boss is childhood friends with this guy.

I've run Pest Patrol on some of our servers which has shown the existence of password cracking trojan horses in addition to A LOT of other suspicious code. I suspect that he is using other tools that Pest Patrol is not even detecting. Also, this guy has full Administrator rights to the entire domain. Without going into too much detail, I will not be able to change this until our domain breaks away from our parent company at the end of the month.

I am looking for two things:

1. A REALLY powerful tool that monitors the entire network (not just the servers it is installed on)for malicious/hacking/cracking code.

2. A tool that can be installed on NT4 and 2000 servers that will check the registry and clean up any garbage much like Norton Utilities does on the client side.

My goal is to have a really secure and clean network once we get our own domain.

Any help would be greatly appreciated.

 

[pgoss]

Well for option one, Snort is a great IDS (Intrusion detection system). Check it out at

http://www.snort.org

it’s open source and free!

I would also look to auditing his account; you can turn that on and make sure you get the log files before he accesses them.

For option 2, look to reloading the system and setting up a standard security baseline. A great tool to monitor changes in the OS, files, registry, etc… is tripwire. Check it out here

http://www.tripwire.com.

hth
pat

 

[kd1s]

First, lock down everything. Don't give them delete priveleges for the DNS files, etc. Yes, this is a pain but it's the best way to protect yourself.

Make sure all your servers have all the current security patches. This will seal many of the holes in Win NT 4.0 and not allow your mischievous user to start deleting things without your knowledge.

Last, you have an idea when this stuff is happening and from what machine? A good old fashioned packet sniffer will do the trick.

If your boss doesn't want to do anything about it, alert upper management if you need to and have them bring in the police. Many police departments in larger areas have contacts with their local USSS office and they have some very nice forensic investigation equipment.

 

[setnaffa]

you might also build a "honeypot", a seemingly defenseless machine designed to show who's doing what... look to CERT and etc. for more advice... mmust be careful not to trample on or tamper with potential evidence yourself... good luck... Setnaffa is an MCSE-4.0 (working on W2K) with a few other certs, too...

 

[yizhar]

HI.

I suggest that you notify all users and then power off all the servers, until this issue is solved.

Then disconnect servers from the wire, and backup everything.

Then rebuild the system from scratch, creating a new domain.

Any other solution seems too partial for your scenario.

Yes, I know that these suggestions are naive.

Your boss has superiors above him right? If so, let them know about this.

Bye

Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[CitrixEngineer]

Implement User policies, and lock everybody down. If you can run Terminal Services and force everyone to use TS clients, so much the better.

If everyone knows who is responsible for all the sudden loss of priveleges then Office Politics will do the rest of the job for you...

/removes BOFH hat CitrixEngineer@yahoo.co.uk

 

[AJ1982]

Hidden remote control

http://www.radmin.com

or spank them

 

[AustinPowers]

Hi friend,

It's not easy dealing with a staff who's been a favorite of the boss. What you need is not a technical solution, but a practical solution. Ask yourself these questions:

* Why would your boss want to harbor someone like this individual?

* Does your boss know that the hacker's actions will cause great harms to his business?

* Have you approached your boss with this issue, and how?

The way I look at it, if a person is performing malicious acts to hurt my business, he's no friend of mine. I'm sure if you properly approach your boss with the worst case scenerio, he'll give in... Also, tell your boss that the internal hacker might also be doing other things to other external network from within that will get your boss on the FBI's grill.... A little lecture on the legality of things always helps!

BTW, who the heck gave the hacker full domain Admin privileges? From what was said in your post, I don't think he's really a hacker capable of cracking password, etc... just a novice w/ full Admin privilege playing with files and deleting them accidentally. If he's really good at cracking password, he can make it look like YOU are the one deleting files from the network, imo... What you may only need is a good network UNDELETE software ... ;-}

my 2 cents!
AP