Hacked network
A network has been compromised, some admin passwords have been breached, connectivity to do admin work is by RDP(remoted desktop) from one network to the other, key logging has been eliminated, strong passwords are used but still being breached, security logs shows admins going to computers they normally dont administer thus the flag for having security breaches. Changing/Deleting/creating new admin username/passwords dont stop this hacker.
Question: How can this be possible? What tools are being used to hack the passwords? How can you trace it?
Question: How can this be possible? What tools are being used to hack the passwords? How can you trace it?
What next?
Comments
-
nick619 Member Posts: 29 ■□□□□□□□□□From what I can think of, Brute Force would be near impossible and take forever since you are using strong passwords and changed the passwords. You can also check the packets with a sniffer on the network for any odd or unusual traffic. But, the only thing I can think of is a keylogger. How did you eliminate this as a possibility?
-
jmc724 Member Posts: 415Only admin have access to AD boxes, we manage the network from an offsite location. From time to time, admins are reqd to do onsite work. The building is highly secure. No one else has access to servers. The investigation has ruled out keylogging. My username and password has been breached Wed, except for my wife, no one would ever know of the password I would use in the form of aaNaNaaaS.
a= alpha
N=numeric
S=special characterWhat next? -
mobri09 Users Awaiting Email Confirmation Posts: 723Some sort of keylogger or program recording activities on the network. Sounds like one incredible hacker. Usually it is someone within the company. You need to encrypt and isolate fast.
-
JDMurray Admin Posts: 13,101 AdminWhat has happened on the system(s) to make you think that you have an intruder?
-
fondue Member Posts: 104It's most likely a keylogger, sniffer, evil admin or user with delegated power.
Here's some suggestion, but you may already be doing them.
I would lock down the firewalls and only allow RDP from known hosts or subnets and start logging everything in and out. You need a baseline of you normal network traffic. VPN your traffic as much as possible to lesson the risk of sniffers.
If you're using pop3/smtp or the dreaded telnet a sniffer works quite well at capturing your password. -
jmc724 Member Posts: 415Unauthorized access to systems thats normally system admins dont access. Use of admins username and pwds during the work day to get to systems we are not authorized to.What next?
-
jmc724 Member Posts: 415Firewall rules have been in effect, you cant do RDP without connecting first thru vpn to be authenticated and then get to the lan. Regular user accouts are not conpromised only admin accounts. We dont use telnet but secure SSH. We are currently looking at tokens to do vpn and possibly citrix to do remote administration but again the network has/is already being exploited.
We need to track it and stop the hacker. I think hes probably using some sort of vb script to get these AD passwords eventhough the password was changed yesterday, today it has been compromised.What next? -
fondue Member Posts: 104jmc724 wrote:Firewall rules have been in effect, you cant do RDP without connecting first thru vpn to be authenticated.
If they're running a vbscript, cracking the password and sending it off site you should be able to detect that with object access logging.
Have you run any penetration tests on your network lately?
Good luck, I wish I was there with you, I love a good challenge. -
jmc724 Member Posts: 415I am only concern since I am a part of the system admins team(also will be doing more security for my long term career path) and not the security team in which there is a coordinated effort to try to find out who is behind this. This is a vey serious event since it has to do with the network of a govt agency. It must be fun to say.."I have hacked **** network and they cant track me." But since this is a highly secure network and this event did happend, I am very sorry if the hacker is found. There will be significant charges that will be put against him/her.What next?
-
JDMurray Admin Posts: 13,101 Adminjmc724 wrote:I am very sorry if the hacker is found. There will be significant charges that will be put against him/her.
Anyway, if you have hard evidence that the intruder is using admin account names and passwords then it's likely that they were obtained from an insecure source. The most likely suspect is any unencrypted communications channel (email, Telnet, yellow sticky notes, etc.). You must also considered the possibility of social engineering, careless information handling, and deliberate internal espionage.
I know that this isn't much help, but without knowing more details it's difficult to make an accurate guess. -
RussS Member Posts: 2,068 ■■■□□□□□□□jdmurray has covered most of the methods of access, but i would like to however add a couple that do quite often get overlooked.
Not knowing what your OS are I would add that there is every possibility that you have been rooted. Many rootkits are virtually impossible to detect and often the only remedy is a clean install ..... oh fun, fun, fun
As far as access - are there any modems in your infrastructure? I recently came across a multifunction unit that was being used as a fax/scanner. On the machine it was installed on to run the scanner software the printer/copier people also installed the fax software by mistake (I say total carelessness). Anyways our client had a few weird things happening on this machine and wanted it sorted ASAP. As I was busy doing a network migration I offered to visit the site later in the evening. While I was there (about 10:30pm) the fax unit started ringing and I figured it was recieving a fax, but after 5 minutes when nothing had come out of the machine I got kind of interested as it appeared that it was still connected. After a bit of investigation I found that someone was dialling in and taking control of the workstation. Network forensics found a stash of warez hidden on one of the file servers and I am guessing the person was considering using the network as a warez site once it was set up correctly. Further investigation showed the firewall logs had been altered. Needless to say this network was shut down and thoroughly investigated prior to go back online.www.supercross.com
FIM website of the year 2007 -
keatron Member Posts: 1,213 ■■■■■■□□□□How many of you have the admin passwords? There's always the possibility of a human leak. You said you ruled out keyloggers? What was your methodology for ruling them out? Most people mistakenly think keylogger=hardware keylogger. This is not the case. There are literally hundreds if not thousands of software keyloggers floating around. And to be honest with you, writing or modifying code to record keystrokes is definantly not an intense undertaking.
You really need to go ahead and do a forensics investigation, because otherwise you might be spinning wheels for a while. If you don't have to skills or resources to effectively carry out a solid forensics investigation, go ahead and hire an expert to do it. It's not cheap, but at this point it's probably worth it.
You'll need to get good memory ****, and good images of the partitions. These things wont be nearly as effective now, as you guys have probably performed many restarts and destroyed most of the real tangible information. But what it will do is help you find out what the hell is going on. Which in turn will allow intelligent decision making as far as actions and response goes.
Good luck, and make sure you let us all know what happens in the end. -
jmc724 Member Posts: 415We have a team of 15 admins, all have diff usernames and pwds, our infrastrcuture is relative large, we have 8 ADs for user accounts, authentication etc. Its a cooperative effort on the security team. I dont think they will get an expert but you never know.What next?
-
Chivalry1 Member Posts: 569I would begin looking on that network for rogue computers. These computers could be capturing packages and analyzing them for passwords. After that I would begin looking for internal admin or social engineering."The recipe for perpetual ignorance is: be satisfied with your opinions and
content with your knowledge. " Elbert Hubbard (1856 - 1915) -
beefy Member Posts: 12 ■□□□□□□□□□If I was you, I wouldnt have him charged Id give him a job on your security team
-
2lazybutsmart Member Posts: 1,119My username and password has been breached Wed, except for my wife, no one would ever know of the password I would use in the form of aaNaNaaaS.
a= alpha
N=numeric
S=special character
at least something like this is a good start for a person who can carry out effective social engineering.
If as you say this a govmt agency, there most certainly are people out there who might have a very good reason to get on your system. And the most insignificant piece of information that leaves the lips of one of your 15 admins might just happen to be the intruders most valuable tool.
I'm not a security man, but at least there are a few basics I know to keep my friends and colleagues off my laptop
2lbs.Exquisite as a lily, illustrious as a full moon,
Magnanimous as the ocean, persistent as time. -
Opi Member Posts: 127Could be that the hacker doesn't even know its an important server. Maybe there is a service on your server that could be exploited and showed up in a mass scan. Maybe the hacker has other plans for your server...
I would look at some vulnerability mailing lists etc, too see if there was a new vuln. in of a service that you may be running..These are wild guesses though
Try to look for traces, where the hacker could have made a misstep,.. antivirus scanning, spyware ...firewall logs, computer logs..start diggin!
If you don't have the knowledge to do the forensics hire someone, swallow your pride, move on! From this point you need to make server, your leak is fixed!!
Hope you find your security leak soon. -
yang11 Member Posts: 14 ■□□□□□□□□□hey
this topic is really interesting.
do you have any smart card implementation?
what if disable the hacked account and to see whats showing up in the security logs.
keep us posted.. -
Sie Member Posts: 1,195Have you checked for connections out of your network?
Most people check connections inwards but if the hacker has got in and then dialled out from your network to his own computer then these logs need checking too.
Does your network run any other remote access apps IE: Dameware , pcanywhere etc?Foolproof systems don't take into account the ingenuity of fools -
paige1 Member Posts: 117Whoever is doing this, knows the system very very well in order to breach passwords as soon as they are created/changed. The only thing that gives up that kind of info is keyloggers. One would have to have access to real time infomation short of social engineering. Also, they seem to be breaching these passwords and accounts simply because they can. Nothing else on the system seems to interest them. Why would someone let it be known that they have the power to continually breach passwords and accounts?Self-confidence is the first requisite to great undertakings.
Samuel Johnson -
garv221 Member Posts: 1,914current IT employee, ex-IT employee or forgotten administrative account. Get a trial of "Wild Packets" and look at your network traffic
-
RussS Member Posts: 2,068 ■■■□□□□□□□So jmc724 - what is the current status of this issue?www.supercross.com
FIM website of the year 2007 -
ubergeek Member Posts: 53 ■■□□□□□□□□Seems pretty interesting, where you able to trace the source of the attack? As what keatron, jdmurray and RuSS have said all are possible for gaining access to your system, for your VPN connection are you using PFS for phase 2? Put into consideration that the "hacker" might also have penetrated your VPN either he/she might have compromised your SKEYID.
Rootkits are also one point of concern, would recommend creating a "honey pot" and do a regular check of your registry hive. One good tool to check your registry is "process explorer". this will track any registry key including services added to the rogue machine. Social engineering is also another factor to look into.. There is a possibility that the one making the attacks is still employed but frustrated on his job.
Do a packet capture from the firewall or from the box, maintain a regular syslog service for the firewall, if you have IDS or IPS on your infra, implement a "critical" type of signature for the time being until you found the culprit. For the time being implement strict access-lists on your network, if you are using Cisco routers implement context based access control on the router.Thank you for calling Cisco Technical Assistance Center.. This is Edward how may I help you? -
Judd Member Posts: 132After exhausting all possible efforts, because it seems like this person is a pro, locate the point at when the activity first happened. Go back 24 hours from that time and restore from backup.
You said there was no interest in the data right, just hacking for the sake of it. If he/she installed a software keylogger, that's the only way besides a complete restore from scratch.
Notify key personnel via telephone or some voice communication to save all important data locally, don't email them this because the keylogger would pick it up, and maybe the hacker would do more nasty tricks.
Then suck it up and restore from backup, I agree that the time to have a forensics team would have been at first sight of the activity. Now is the time to save as much of your information systems as possible.