Announcement

Collapse
No announcement yet.

We got hacked thru TS- but we got the [email protected]!

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • We got hacked thru TS- but we got the [email protected]!

    When I first started here, our network had just been hacked into by a Terminal Server hacker. The system was setup for direct TS as the login point for all users. The hacker was an ex-IT-employee who knew the usernames and passwords (we use irregular usernames for our admins which only he and I knew of!).

    I spent a day securing the network after receiving as many as 300 phone calls in half-an-hour to tell me 75% of the files on the file server had been deleted.

    We have never since been hacked into again.

    The police's computer crime squad, with my thorough investigative report on the hack from our side of the firewall, now have the hacker and his computers in their possession. They are asking me how do we track what the hacker had done from his computer to prove he hacked into our network? Does the RDP client on Windows leave traces of Terminal Server hosts it has been trying to hack into?

    Where can we look on the hacker's computer to find evidence of the hack?

    Note: The police seized his computers one month after the hack attempt and have imaged his hard disks for backup.
    |
    +-- JDMils
    |
    +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
    |

  • #2
    Re: We got hacked thru TS- but we got the [email protected]!

    Congratulations on the catch!
    Any logon/logoff should be found in the Event Viewer\Security ( I hope you have Auditing enabled).
    Go to the Event Viewer -> Security -> View -> Filter and fill in the fields as following:
    - Event Source : Security
    - Category : Logon\Logoff
    - Event ID: 528 (for logon) or 538 (for logoff).
    - you can use a time slice by choosing From: and To: .

    You'll get yourself a list with all the logons, unless he was clever enough to delete the whole log. And that you will know in the moment you open it.

    This is what I get on my TS server (notice the relevant fields, emphasized):
    Code:
    Event Type:	Success Audit
    Event Source:	Security
    Event Category:	Logon/Logoff 
    Event ID:	528
    Date:		3/26/2007
    Time:		8:07:45 AM
    User:		[some user]
    Computer:	[your server]
    Description:
    Successful Logon:
     	User Name:	[some user]
     	Domain:		[...]
     	Logon ID:		(0x0,0xF1E02FEC)
     	Logon Type:	10
     	Logon Process:	User32  
     	Authentication Package:	Negotiate
     	Workstation Name:	[...]
     	Logon GUID:	[...]
     	Caller User Name:	[...]
     	Caller Domain:	[...]
     	Caller Logon ID:	(0x0,0x3E7)
     	Caller Process ID: 19088
     	Transited Services: -
     	Source Network Address:	[his IP address]
     	Source Port:	3513
    
    
    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Hope this helped, and you'll find the smoking gun.

    Sorin Solomon

    »»»»»
    In order to succeed, your desire for success should be greater than your fear of failure.
    -
    «««««

    Comment


    • #3
      Re: We got hacked thru TS- but we got the [email protected]!

      Thanks for that. Yeah, I already got all that info. The police want to know if there is anything on HIS computer, the one he used to hack into our network, that will show that he RDP'ed into our network.
      |
      +-- JDMils
      |
      +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
      |

      Comment


      • #4
        Re: We got hacked thru TS- but we got the [email protected]!

        Well, pretty odd that the Computer Crime Squad asks you about it, isn't it?
        There are some MRU lists in the Registry you could take a look at:
        HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default - if he used the RDP client
        HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\RunMRU - if he used the Start->Run option
        I know these two, there might be more places to look in.
        Good luck!

        Sorin Solomon

        »»»»»
        In order to succeed, your desire for success should be greater than your fear of failure.
        -
        «««««

        Comment


        • #5
          Re: We got hacked thru TS- but we got the [email protected]!

          It will be difficult to differentiate legitimate traces of your network vs. illegitimate trace from after he separated from the company.

          Make a note of any time discrepancies on his PC vs. actual time. (skew)

          In any case there is very limited information about the following, but maybe your police contact can get in touch with MS for more info.

          There is a the bitmap cache used when connecting to a TS
          my default is
          Code:
          C:\Documents and Settings\xxxx\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache
          and then there is the license that is acquired from the TS that resides in the registry here
          Code:
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing
          Also you may be able to match that data to the data that resides in the licensing server. Though I am not sure about that....

          In any case my experience in dealing with such matters is that local enforcement had very limited knowledge in investigating these types of crimes. They are trained to find deleted files and to preserve evidence (EnCase), but thats it.

          (EDIT - in the US anyway)
          Last edited by Lior_S; 26th March 2007, 16:16.
          "...if I turn out to be particularly clear, you've probably misunderstood what I've said” - Alan Greenspan

          Comment


          • #6
            Re: We got hacked thru TS- but we got the [email protected]!

            Thanks all- this info has been really helpful to the Police. I just hope they can put it all together as evidence against the hacker.

            Oh, get this...The hacker's computer name was his real name!! HA! And this was all logged in the Terminal Server logs
            |
            +-- JDMils
            |
            +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
            |

            Comment


            • #7
              Re: We got hacked thru TS- but we got the [email protected]!


              It reminds me a story of a gut that was busted by the Police in the US during a drug party. The Police got a PDA with a gold mine inside: all the names and phone numbers of drug dealers and distributors in the region. The guy was arrested for drug traffic.
              The attorney took the PDA as evidence in the court, but the suspect convinced everyone it was not his. Until the Police found that the phone number of the guy's parents was written under "Mom and Dad" ...

              Sorin Solomon

              »»»»»
              In order to succeed, your desire for success should be greater than your fear of failure.
              -
              «««««

              Comment


              • #8
                Re: We got hacked thru TS- but we got the [email protected]!

                Maybe YOU can learn something from this avoidable incident. When IT staff leave for ANY reason, the first thing you do as soon as they are out the door........CHANGE the bloody PASSWORDS!!
                1 1 was a racehorse.
                2 2 was 1 2.
                1 1 1 1 race 1 day,
                2 2 1 1 2

                Comment


                • #9
                  Re: We got hacked thru TS- but we got the [email protected]!

                  Originally posted by biggles77 View Post
                  Maybe YOU can learn something from this avoidable incident. When IT staff leave for ANY reason, the first thing you do as soon as they are out the door........CHANGE the bloody PASSWORDS!!
                  ...or even better ensure that ALL admin work is undertaken using a PERSONAL admin account and that the root "Domain Admin" and "Enterprise Admin" user names and passwords are locked in a safe somewhere and never used by human beings...

                  This way, all you have to do when he leaves is disable his admin account and his humble account and he can never log in again...


                  Tom
                  For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                  Anything you say will be misquoted and used against you

                  Comment


                  • #10
                    Re: We got hacked thru TS- but we got the [email protected]!

                    Originally posted by JDMils View Post
                    Thanks all- this info has been really helpful to the Police. I just hope they can put it all together as evidence against the hacker.

                    Oh, get this...The hacker's computer name was his real name!! HA! And this was all logged in the Terminal Server logs
                    Yes yes all very stupid blah blah blah. Who's running the network, who's running the IT Security policy, who's running the servers? How was it possible for the bloke to get in IN THE FIRST PLACE?!

                    There were plenty of disgruntled employees made redundant at my last place; some of whose accounts had access to firewall configs and so on from the internet. However, about four seconds after they left the building for the last time, their accounts were disabled and various other security steps taken and they therefore no longer had access. Is it so difficult?!


                    Tom
                    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                    Anything you say will be misquoted and used against you

                    Comment


                    • #11
                      Re: We got hacked thru TS- but we got the [email protected]!

                      A client of mine (who hadn't followed any advice about anything) sacked a fellow and then left him alone in the office to clear out his desk. He formatted all the backup tapes, which they had left all onsite, and then he formatted the workgroup server. Nobody could prove anything and the company went bust.

                      Multiple "DOH" !
                      Best wishes,
                      PaulH.
                      MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

                      Comment


                      • #12
                        Re: We got hacked thru TS- but we got the [email protected]!

                        OK, thanks for the flames. Look, I was only in the position for one week and since for the previous three months b4 that the company had an IT firm supporting them until I got in, I assumed it had already been locked down. I wanted to investigate how the whole thing was setup before changing all the passwords. The IT firm had setup all the SQL databases, services on all servers, etc with various domain admin usernames) and thus I would have brought the whole system down if I had hurriedly changed all the passwords.

                        It's just a bad experience which I have learnt from.
                        Last edited by JDMils; 27th March 2007, 21:39.
                        |
                        +-- JDMils
                        |
                        +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
                        |

                        Comment

                        Working...
                        X