gaining access to a server

blue4ever · 12-12-2006 4:29pm #1

Can anyone make any suggestions
Am dealing with a little sensitive issue. I work in a relatively small company and I think that someone may be gaining access to a server that they shouldn’t be. There are obviously two problems – they can get access and what to do next in terms of ‘policy’ (what we do etc from here)

Anyone suggest a company that could give me a dig out?

arseagon · 12-12-2006 4:51pm

First things first, change the passwords on the server in question. There's no point in having sensitive data on open or poorly passworded shares and then wondering why people are able to access it.

Second, do you want to confront the people accessing the data? If so be very sure of your facts before you do. confrontations with staff can turn nasty if not done properly. Basically you're going to need proof and that can't always be the easiest to get if the person knows how to cover their tracks.

Capt'n Midnight · 12-12-2006 9:52pm

check with HR to see what people have signed

what OS ?

if windows turn on auditing on the folders in question
also tighten up logon hours

use cacls to get a list of who is allowed see what, and to lock down permissions - talk to the data owner - let them decide who should see data or not.

if you suspect they are using another users password or pc it gets difficult

Static M.e. · 13-12-2006 10:19am

If your looking for a company to create a server policy, access policy and lock down your server. Try RITS Ireland, very nice helpfull people they can walk you though the whole process.

It will cost you though.

You could of course just enable Auditing on your important folders and see who is logging on / off and accessing different files and folders.

Sorry just reread Capt'n Midnights post, what he said

scojones · 13-12-2006 3:54pm

Firstly, check to see what services are running on the machine. Take note of the versions and check for existing vulnerabilities and exploits. Then check who is logged in now, is everyone that is logged in supposed to be? Check who has a remote session to the machine. Check the logs (/var/log/ on Linux/Unix) for anything suspicious. Confirm that the likes of ps, w, ls, et al are all reporting proper results. Check all the accounts on the system, make sure nobody has given themselves super user privs. Change all the passwords, make sure no unauthorised services are running. Ensure nothing has been backdoored (ssh for example). Do a search on the local HDD for files with the +s bit assigned and verify that none of these are hidden little root shells. There's hundreds of things you can do. If you're running a web server, check the web server logs and ensure that all cgi scripts are safe, i.e do not allow command execution.

blue4ever · 15-12-2006 12:05pm

thanks very much all

No - Whilst there is indeed a need to review policy, completely, I think that we are 'closing the stable door....'

We are nearly 100% that an individual has been messing around and possible copied a file or two. What I need now is someone to go in and trace this – giving us proof sufficient to reprimand or stronger that person. Where do I start – I obviously want this hus hush and (unfortunately!) cheap

Static M.e. · 15-12-2006 12:49pm

We are nearly 100% that an individual has been messing around and possible copied a file or two. What I need now is someone to go in and trace this – giving us proof sufficient to reprimand or stronger that person. Where do I start – I obviously want this hus hush and (unfortunately!) cheap

Unfortunatly they dont go hand in hand. You are now looking for Forensics to be carried out on your server. This can be a costly and time consuming process espically if you plan to use this as evidence.

I would contact Espion (www.espion.ie) they seem to do quite alot of forensic work, you can get a quote either way and then decide.

Capt'n Midnight · 15-12-2006 7:44pm

use forensics on the destination, "whats this file doing in your recycle bin, eh ?"

ideally you could boot up with a live CD and backup the entire hard drive, clone it , but not using ghost or partimage as they only backup sectors with files in them, and then search it

you could also check/setup printer logs

Cake Fiend · 15-12-2006 8:16pm

Capt'n Midnight wrote:

use forensics on the destination, "whats this file doing in your recycle bin, eh ?"

Probably the best plan here, seeing as there was probably not much logging going on before/during the act.

hmmm · 15-12-2006 9:40pm

Forget about technology for a minute - firstly decide whether on the basis of this you will want to take disciplinary action. If you do, then I would advise you get some expert advice or you may find yourself up in front of a tribunal or a court if the employee decides to challenge you. Some companies have been mentioned in this thread and won't cost you an arm and a leg for advice - for them to do forensics may be a different matter

gaining access to a server

Comments