Hacked network

jmc724

A network has been compromised, some admin passwords have been breached, connectivity to do admin work is by RDP(remoted desktop) from one network to the other, key logging has been eliminated, strong passwords are used but still being breached, security logs shows admins going to computers they normally dont administer thus the flag for having security breaches. Changing/Deleting/creating new admin username/passwords dont stop this hacker.

Question: How can this be possible? What tools are being used to hack the passwords? How can you trace it?

nick619

From what I can think of, Brute Force would be near impossible and take forever since you are using strong passwords and changed the passwords. You can also check the packets with a sniffer on the network for any odd or unusual traffic. But, the only thing I can think of is a keylogger. How did you eliminate this as a possibility?

jmc724

Only admin have access to AD boxes, we manage the network from an offsite location. From time to time, admins are reqd to do onsite work. The building is highly secure. No one else has access to servers. The investigation has ruled out keylogging. My username and password has been breached Wed, except for my wife, no one would ever know of the password I would use in the form of aaNaNaaaS.

a= alpha
N=numeric
S=special character

mobri09

Some sort of keylogger or program recording activities on the network. Sounds like one incredible hacker. Usually it is someone within the company. You need to encrypt and isolate fast.

JDMurray

What has happened on the system(s) to make you think that you have an intruder?

fondue

It's most likely a keylogger, sniffer, evil admin or user with delegated power.

Here's some suggestion, but you may already be doing them.
I would lock down the firewalls and only allow RDP from known hosts or subnets and start logging everything in and out. You need a baseline of you normal network traffic. VPN your traffic as much as possible to lesson the risk of sniffers.

If you're using pop3/smtp or the dreaded telnet a sniffer works quite well at capturing your password.

jmc724

Unauthorized access to systems thats normally system admins dont access. Use of admins username and pwds during the work day to get to systems we are not authorized to.

jmc724

Firewall rules have been in effect, you cant do RDP without connecting first thru vpn to be authenticated and then get to the lan. Regular user accouts are not conpromised only admin accounts. We dont use telnet but secure SSH. We are currently looking at tokens to do vpn and possibly citrix to do remote administration but again the network has/is already being exploited.

We need to track it and stop the hacker. I think hes probably using some sort of vb script to get these AD passwords eventhough the password was changed yesterday, today it has been compromised.

fondue

jmc724 wrote:

Firewall rules have been in effect, you cant do RDP without connecting first thru vpn to be authenticated.

I may have underestimated the size and complexity of your network. With that said, if the attacks are coming from the outside you have log data in the form of firewall and vpn access logs, unless your firewall and vpn access isn't logged. For that matter, if the attack is coming from offsite and the only way in is through the VPN change the keys, log all failed connection attempts, track them down and go angry IT on them.

If they're running a vbscript, cracking the password and sending it off site you should be able to detect that with object access logging.

Have you run any penetration tests on your network lately?

Good luck, I wish I was there with you, I love a good challenge.

jmc724

I am only concern since I am a part of the system admins team(also will be doing more security for my long term career path) and not the security team in which there is a coordinated effort to try to find out who is behind this. This is a vey serious event since it has to do with the network of a govt agency. It must be fun to say.."I have hacked **** network and they cant track me." But since this is a highly secure network and this event did happend, I am very sorry if the hacker is found. There will be significant charges that will be put against him/her.

JDMurray

jmc724 wrote:

I am very sorry if the hacker is found. There will be significant charges that will be put against him/her.

You would be surprised how often charges are lessened or even dropped because the agency that owned the computers didn't want to reveal specific aspects of their organization in a public court case. It's really a curious thing, this democratic justice system of ours.

Anyway, if you have hard evidence that the intruder is using admin account names and passwords then it's likely that they were obtained from an insecure source. The most likely suspect is any unencrypted communications channel (email, Telnet, yellow sticky notes, etc.). You must also considered the possibility of social engineering, careless information handling, and deliberate internal espionage.

I know that this isn't much help, but without knowing more details it's difficult to make an accurate guess.

RussS

jdmurray has covered most of the methods of access, but i would like to however add a couple that do quite often get overlooked.

Not knowing what your OS are I would add that there is every possibility that you have been rooted. Many rootkits are virtually impossible to detect and often the only remedy is a clean install ..... oh fun, fun, fun
As far as access - are there any modems in your infrastructure? I recently came across a multifunction unit that was being used as a fax/scanner. On the machine it was installed on to run the scanner software the printer/copier people also installed the fax software by mistake (I say total carelessness). Anyways our client had a few weird things happening on this machine and wanted it sorted ASAP. As I was busy doing a network migration I offered to visit the site later in the evening. While I was there (about 10:30pm) the fax unit started ringing and I figured it was recieving a fax, but after 5 minutes when nothing had come out of the machine I got kind of interested as it appeared that it was still connected. After a bit of investigation I found that someone was dialling in and taking control of the workstation. Network forensics found a stash of warez hidden on one of the file servers and I am guessing the person was considering using the network as a warez site once it was set up correctly. Further investigation showed the firewall logs had been altered. Needless to say this network was shut down and thoroughly investigated prior to go back online.

keatron

How many of you have the admin passwords? There's always the possibility of a human leak. You said you ruled out keyloggers? What was your methodology for ruling them out? Most people mistakenly think keylogger=hardware keylogger. This is not the case. There are literally hundreds if not thousands of software keyloggers floating around. And to be honest with you, writing or modifying code to record keystrokes is definantly not an intense undertaking.

You really need to go ahead and do a forensics investigation, because otherwise you might be spinning wheels for a while. If you don't have to skills or resources to effectively carry out a solid forensics investigation, go ahead and hire an expert to do it. It's not cheap, but at this point it's probably worth it.

You'll need to get good memory ****, and good images of the partitions. These things wont be nearly as effective now, as you guys have probably performed many restarts and destroyed most of the real tangible information. But what it will do is help you find out what the hell is going on. Which in turn will allow intelligent decision making as far as actions and response goes.

Good luck, and make sure you let us all know what happens in the end.

jmc724

We have a team of 15 admins, all have diff usernames and pwds, our infrastrcuture is relative large, we have 8 ADs for user accounts, authentication etc. Its a cooperative effort on the security team. I dont think they will get an expert but you never know.

Chivalry1

I would begin looking on that network for rogue computers. These computers could be capturing packages and analyzing them for passwords. After that I would begin looking for internal admin or social engineering.

beefy

If I was you, I wouldnt have him charged Id give him a job on your security team

2lazybutsmart

My username and password has been breached Wed, except for my wife, no one would ever know of the password I would use in the form of aaNaNaaaS.

a= alpha
N=numeric
S=special character

at least something like this is a good start for a person who can carry out effective social engineering.

If as you say this a govmt agency, there most certainly are people out there who might have a very good reason to get on your system. And the most insignificant piece of information that leaves the lips of one of your 15 admins might just happen to be the intruders most valuable tool.

I'm not a security man, but at least there are a few basics I know to keep my friends and colleagues off my laptop

2lbs.

Opi

Could be that the hacker doesn't even know its an important server. Maybe there is a service on your server that could be exploited and showed up in a mass scan. Maybe the hacker has other plans for your server...
I would look at some vulnerability mailing lists etc, too see if there was a new vuln. in of a service that you may be running..These are wild guesses though

Try to look for traces, where the hacker could have made a misstep,.. antivirus scanning, spyware ...firewall logs, computer logs..start diggin!

If you don't have the knowledge to do the forensics hire someone, swallow your pride, move on! From this point you need to make server, your leak is fixed!!

Hope you find your security leak soon.

yang11

hey

this topic is really interesting.

do you have any smart card implementation?

what if disable the hacked account and to see whats showing up in the security logs.

keep us posted..

Sie

Have you checked for connections out of your network?

Most people check connections inwards but if the hacker has got in and then dialled out from your network to his own computer then these logs need checking too.

Does your network run any other remote access apps IE: Dameware , pcanywhere etc?

paige1

Whoever is doing this, knows the system very very well in order to breach passwords as soon as they are created/changed. The only thing that gives up that kind of info is keyloggers. One would have to have access to real time infomation short of social engineering. Also, they seem to be breaching these passwords and accounts simply because they can. Nothing else on the system seems to interest them. Why would someone let it be known that they have the power to continually breach passwords and accounts?

garv221

current IT employee, ex-IT employee or forgotten administrative account. Get a trial of "Wild Packets" and look at your network traffic

Jiggsaww

beefy wrote:

If I was you, I wouldnt have him charged Id give him a job on your security team

lol i firmly agree on this one.......:D

RussS

So jmc724 - what is the current status of this issue?

ubergeek

Seems pretty interesting, where you able to trace the source of the attack? As what keatron, jdmurray and RuSS have said all are possible for gaining access to your system, for your VPN connection are you using PFS for phase 2? Put into consideration that the "hacker" might also have penetrated your VPN either he/she might have compromised your SKEYID.

Rootkits are also one point of concern, would recommend creating a "honey pot" and do a regular check of your registry hive. One good tool to check your registry is "process explorer". this will track any registry key including services added to the rogue machine. Social engineering is also another factor to look into.. There is a possibility that the one making the attacks is still employed but frustrated on his job.

Do a packet capture from the firewall or from the box, maintain a regular syslog service for the firewall, if you have IDS or IPS on your infra, implement a "critical" type of signature for the time being until you found the culprit. For the time being implement strict access-lists on your network, if you are using Cisco routers implement context based access control on the router.

Judd

After exhausting all possible efforts, because it seems like this person is a pro, locate the point at when the activity first happened. Go back 24 hours from that time and restore from backup.

You said there was no interest in the data right, just hacking for the sake of it. If he/she installed a software keylogger, that's the only way besides a complete restore from scratch.

Notify key personnel via telephone or some voice communication to save all important data locally, don't email them this because the keylogger would pick it up, and maybe the hacker would do more nasty tricks.

Then suck it up and restore from backup, I agree that the time to have a forensics team would have been at first sight of the activity. Now is the time to save as much of your information systems as possible.