Page 1 of 4 123 ... LastLast
Results 1 to 10 of 37

Thread: Ideas on how the hacker is doing it?

  1. #1
    Member
    Join Date
    Jan 2004
    Posts
    33

    Lightbulb Ideas on how the hacker is doing it?

    Sensative information has been compromised by way of email and the jackel is using a hotmail account to share these sensative emails with others in the company who should not be reading them. I believe they are accessing calendars and monitoring emails as we speak.
    The network is primarily Microsoft based with several SQL servers, Exchange, and 2003 servers. These servers are patched regularly and the patch management team does maintain a vigil with regards to patching. There are multipule sites that are using terminal services and Active directory group policies are used company wide.

    The real stinger is this. I think the jackel is the guy who used to be in charge of Information Security at this company.
    Now I have looked at the email header and tracked it back to the original IP which happens to be the company he went to work for....I have recommended the review of the exchange server accounts and have asked that this hotmail account to be blocked.

    I suspect that IT is using Telnet on the routers and switches and that this guy has left himself a backdoor I will monitor the port tomorrow.

    I have been asked to find this holeor holes and plug it. I am formulating a plan, but I have seen some amazing things come from the brain trust on this site and would appreciate any additional input. Simple or complex I have been charged with covering it all and I do not want to miss anything.

    SO anyone up for a game against a grey hat? I will continue to post progress and findings and hopefully this can turn into a worthwhile senerio when all is said and done.

  2. #2
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    Bollocks, back up all your neaded data. Take the network apart re-format every pc and put it back together stronger tougher and harder than it was befor. Then go find the ex-admin and roger him to death.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  3. #3
    Banned
    Join Date
    Jul 2001
    Posts
    1,100
    Greetings:

    I would actually suggest to your company management that the holes NOT be patched just yet, believe it or not.

    I would contact your local FBI field office. They are VERY interested in cases like this (despite public perception otherwise), and would more than likely have an agent or two help you monitor his activity in such a way as to make it useful in a court of law.

    Then you can plug the holes, and have this BLACK HAT arrested.

  4. #4
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    Ok so i'm a bit tipsy,

    Firstly change you security settings on the router. Then do as JP sugests. If the router is your gateway change the password now, now. I say again now. Getting the feds involved is all well and good ,but your info is leaching away, once it's public it will always be public.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  5. #5
    Originally posted here by uno_digerati
    The real stinger is this. I think the jackel is the guy who used to be in charge of Information Security at this company.
    Now I have looked at the email header and tracked it back to the original IP which happens to be the company he went to work for....I have recommended the review of the exchange server accounts and have asked that this hotmail account to be blocked.
    Since you automaticly assume him. I take it there was a bit of a tiff in the office, he had the priviledges to install what he wanted, then when he left you noticed these strange activities. Something of the sort correct? If so then I say I don't care who you are, how much money you make, and how deep in management you are in. No matter how high your rights to the box is it should still be audited and you should have two or three peaple monitoring these changes and compairing notes.

    So if it is this then this means either this guy sliped something right under some other management's nose, he had access then did a few local exploits to up his rights you'd be surprised how many peaple only pay attention to critical updates for something done remotely, or (as I assume) there was a completely flawed policy over the network to begin with (ie) they left one guy to be godly over everything.

    I wouldn't recommend a re-format, just by turning the computer off you can lose evidence. As you said you could just use a sniffer and collect evidence which this should have already had been done routinely as part of just another precaution if you ask me.

    |The|Jackel

  6. #6
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    Originally posted here by jinxy

    Firstly change you security settings on the router. Then do as JP sugests. If the router is your gateway change the password now, now. I say again now. Getting the feds involved is all well and good ,but your info is leaching away, once it's public it will always be public.
    Whose side are you on? Any sensitive information in the system is already comprimised, and by changing any setting or pass word you are tampering with the available evidence.
    Do as JP has suggested and don't change anythingn untill the F.B.I. has authorized the change.
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  7. #7
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    No your not, your just denying further access. If a bad guy has a gun the first thing you do is take it away from him.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  8. #8
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,018
    If a bad guy has a gun the first thing you do is take it away from him
    That may be, but you don't trample all over the crime scene, otherwise you destroy and alter evidence..as much as I hate to agree with Mox (j/k )..and JP.

    Electronic evidence is hard enough to get into court... if there is a chance any of it has been tamperd/altered, it will be completely inadmissable. ( <-- spelling doesn't look right?? )

    EDIT: However, unplugging it from the network wouldn't be an issue from the forensics side...might be tough on business though.

  9. #9
    Member
    Join Date
    Jan 2004
    Posts
    33
    Ok, so as The JAckel has deduced we are talking about a company whose idea of security is one Information Security guy and cutbacks took away a second. The only other auditing body was the network admin team and I believe the communication between them was tolerated when necessary. Not my idea of an ideal situation, but regardless......He left with a grudge and now wants to show us all how smart he is........
    Jackel you make some great observations and as stated this was far from the ideal, but now what.....this is a 24/7 shop and disceting the network while desireable on some levels, will destroy event logs and lose the company money.

    I am looking for maximum impact on his access with minimum effect on the business...... Jinxy.......a throttling may just not be to far from a reality and well deserved in my book:-)

  10. #10
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    uno,


    It sounds like this individual is fairly well versed, so don't be surprise if he visits here as well. Who knows, he may have already read your thread. Obviously, he was sharp enough to create trouble for you. Anyway, don't even mess with this character, as stated before, get the FBI/Law Enforcement involved so he can get hammered by bubba. I'm sure they are looking for some of those Patriot Act violators, so give them one!

    cheers

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •