Guys,
All routers are secured and there is no IDS logging turned
on. As with NT security Logging, the major issue is I believe the individual
that instigated the attack was within the company and that he knew the access
passwords to come into the system as an authorised personnel. I believe the
individual is currently still working for this company and is launching his
attacks randomly. I wanted to know if there is a good way of catching the
person/workstation/IP/anything that would point to the direction of who possibly
might be the culprit behind these attacks.
The problem is because there are a number of Interstate
sites and all sites are private and do not have a public address on any server,
thus I believe it is done internally. Also when I was onsite looking at the
server, it started to do a typical NT "restart" on me right before my eyes. I
can see that the server was shutting down all its services and I even saw the
Restart button for a split second before it completely rebooted. This occured in
succession to 3 NT Servers with around 2-3 minutes time difference. The
incidence went on 3 times on each server consecutively.
Can you guys suggest the best and optimal way to catch the
culprit? (Hopefully with minimal costs incurred from IDS or any other tools to
do so.). I believe the individual will strike again and I believe even if the
passwords were changed, the individual is a person with authority to obtain the
passwords anyway (they would be given that Admin password as I believe this was
done by one of the IT staff internally - just do not know who it might be and
from which state).
Please advise as this is something foreign to me, comes
across as some James Bond stuff in IT. Thanks for any suggestions, as I have
been given the ok and mandate to do something or recommend something to get to
the bottom of this from the Managers. Please advise and thanks in advance.
-----Original Message-----
From: Joe Vasquez [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 24, 2001 10:25 AM
To: David Ng; [EMAIL PROTECTED]
Subject: RE: Please assist, tracking or IDS options.Do you have a firewall, router or IDS with logging turned on?Do you have security logging turned on in your NT server and any workstations on your network?You may want to mention what security solutions that you have in place.Joe-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of David Ng
Sent: Tuesday, October 23, 2001 5:14 PM
To: [EMAIL PROTECTED]
Subject: Please assist, tracking or IDS options.
Importance: HighDear all,We have a NT network that was hit the other day, in the sense that it was remotely shutdown by an individual somehow. The person might have the passwords and also sound technical expertise in remote utilities. Is there a way for me to trace where the traffic was coming from that day and what IP address? Also, is there a way to automatically capture the screen if it was remotely controlled?Please advise, thanks in advance.Sincerely,David Ng
