On Sat, 7 Jun 2003, James Blackburn wrote:
> Brian,
>
> Many thanks for your response.
>
> > You could possibly poll the system for this information or you could
> > enable logging for these events and generate an alert when they occur.
>
> What we've actually got is a campus network with 700 users. The admins
> work 9-5 Mon-Fri, out of these times the network become "0wn3d" by
> "3133t hax0rs"... The windows event logs keep getting wiped, and
> anything server side has been compromised. Passwords I think are
> grabbed by arp spoofing high level computers with kane & abel?(or
> similar) -- or indeed one of the servers has been tronjaned.
If anything like this is reoccuring your systems are hosed and should
considered a real hazard.
You should kickout averything you have an retake control. At present you
seem to be relying on these machines without a full security sweep.
Hugo.
--
All email sent to me is bound to the rules described on my homepage.
[EMAIL PROTECTED] http://hvdkooij.xs4all.nl/
Don't meddle in the affairs of sysadmins,
for they are subtle and quick to anger.
