Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Jorge Roxo (j.roxosotagus.pt)
Date: Tue Feb 05 2002 - 11:00:39 CST
From what you have described I think it is unlikely that this is an
external (non employee) attack. One the person would have to
guess your tel number unless it is published. Failing that they
would have to try war dialling, very old school and less results
than your usual net based exploit. If someone had achieved
this do you think they are going to create a user with a roaming
profile? So they can keep there settings!???
>> Hum most likely nope.. Too much trouble really and nothing showing
Do you audit you machines / logons etc? How many times has
the account been used? When was it created? Have any of the
security logs been cleared?
>>The machine activity in the network is fully logged, ie, nothing
happens on our network without us knowing about it at IT. The user
account was used only twice with 5 minutes of difference. The firewall
installed on the local machine is Zone Alarm ( testing it as of a week
ago, since we plan to purchase some licences ) and was setup to maximum
security, also it is the latest version available for download.
>>No security logs have been cleared and the weird thing ( I suspect a
logg is edited.. ) is that they show nothing. It was created last night
( 04/02/2002 ) during night hours ( more or less 2 to 4 am local time ).
Is it possible that an ex employee created the account before
leaving and has since used it via PCanywhere (as he knows
the settings phone# / password etc)?
>>Absolutely impossible, since the only three people that know that
number are the current IT staff members and a Software provider of ours.
Since we both know that we didn't do it, and we don't believe that our
software provider would do anything of the kind, we must stick to the
idea of an external job.
Is it the PCanywhere box that is the problem, is it networked?
you mention it is a member of a domain.
>>Its is networked, and its nor the machine itself but rather the other
machines of that particular domain that contain sensitive information.
Could a laptop which connects to the net externally (from home etc) get
infected / compromised and then it is brought into the office
and onto the network?
>>I don't think a laptop could get hit by this, we did find an attempt
to load a trojan into the system, more to the point we did find a
partially wiped file that seems to be BO2K type of trojan. However our
AV got to it before it could be run, and deleted it ( not completely
since data restore software found traces of it ).
>>One thing I have done is to check that line's logging since we have
digital phones which are connected to a central and the central showed a
connection attempt or data call recived ( 2 of them as a matter of fact
from a particular phone number ) to that number as well as all the
others that belong to the company including fax numbers. The number
seems to belong to a free internet access ISP, we have tried to contact
them to see who was using a certain group of IPS we believe may belong
to the attacker.
>> My main concern now is to plug this hole ( closed the modem down but
I'll need to leave it open again soon ) since VPN is not a possibility
for us due to line and ISP problems ) and dtermine how far did we
actually get compromised. It would seem it did not go very far but Im
very worried none the less.
>>Any ideas on how to go about it will be extremely welcome.
>> BTW many thnxs to you all for the help you have provided so far.
TCSA/Sotagus Computer Systems Administrator
This e-mail is confidential and privileged. If you are not the intended
recipient please accept our apologies. Do not disclose, copy or
distribute information in this e-mail or take any action in reliance to
its contents, to do so is strictly prohibited and may be unlawful.
Please inform us that this message has gone astray before deleting it.
Thank you for your co-operation.