Reply With QuoteIf the intruder had physical access and the ability to access the bios that is all he needs to access any piece of information on the system believe it or not.
Our lead programmer's PC was hacked into sometime over the weekend and the local user account was deleted along with all his documents and everything for the site that he had been working on.
This is a strange one. We're not yet sure how this person got into the machine.
The PC is not on the domain, but rather on a solo workgroup.
Apparently someone physically accessed his PC b/c someone unlocked his PC, then deleted his account and then logged off or rebooted b/c they apparently left it at the log-in screen with administrator showing as the last person who logged in. (he uses his own account, not admin and we don't have his admin password b/c he changes it himself monthly.)
I thought there would have been an event of some sort in the event viewer, but no events of any type were logged over the weekend. No strange services or VNC stuff running. No spyware. Clean as a whistle.. as if someone knew exactly how to log-into the PC without the password, then delete the account and vanish without a trace.
We have ERD Commander and have the ability to reset ANY password for a local account, but nobody in the building has access to ERD except us.
It all sounds really fishy.. one of the other guys is doing some detective work to find out more info, just thought I'd post to see if anyone out there knows of a way that this person might have gotten into the PC.. It's running windows 2k pro SP3
TIA
"Nobody's invincible, no plan is foolproof, We all must meet our moment of truth." - Guru
If the intruder had physical access and the ability to access the bios that is all he needs to access any piece of information on the system believe it or not.
http://www.computerglitch.net"I'm doing a (free) operating system (just a hobby, won't be big and professional...) for AT clones... It's not portable and it probably [won't ever] support anything other than AT hard disks, as thats all I have :-(." --Posted on Usenet August 1991 by Linus Trovalds
curiosity builds security | dd if=/dev/zero of=/dev/hda bs=512 count=100
EOF
yeah I suppose.. they may have had a boot disk of sorts or a special BIOS tool. However, as we find more info on this we have noticed that the power on password & BIOS password were still intact and unchanged which means they got around that as well somehow..Originally posted by greEd
If the intruder had physical access and the ability to access the bios that is all he needs to access any piece of information on the system believe it or not.
"Nobody's invincible, no plan is foolproof, We all must meet our moment of truth." - Guru
You can log on to and access a win2k workstation with a tweaked win2k cdrom, w/ full admin privledges.
No one has any right to force data on you
and command you to believe it or else.
If it is not true for you, it isn't true.
LRH
I read about that a while ago.Originally posted by TonyT
You can log on to and access a win2k workstation with a tweaked win2k cdrom, w/ full admin privledges.
Have you got a link for that method Tony?
I think I was mistaken, it's XP that can be exploited.
Anyone with a Windows 2000 CD can boot up a
Windows XP box and start the Windows 2000
Recovery Console. The intruder has Administrator privileges
even if he or she does not provide a password, and
can also assume the identity of any other user of the
machine.
No one has any right to force data on you
and command you to believe it or else.
If it is not true for you, it isn't true.
LRH
Originally posted by TonyT
I think I was mistaken, it's XP that can be exploited.
Anyone with a Windows 2000 CD can boot up a
Windows XP box and start the Windows 2000
Recovery Console. The intruder has Administrator privileges
even if he or she does not provide a password, and
can also assume the identity of any other user of the
machine.
I've heard of this as well.
Thanks, it may come in handy one day.
Anyone fired recently, or otherwise disgruntled employee's still around?
MORNING WOOD Lumber Company
Guinness for Strength!!!
Do you use SMS or any other type of remote-installation package? Something similar happened to my laptop. Woke up one morning and only got the old, generic login screen and Administrator as the last login.
Turns out that they (my corpi helpdesk) had scheduled me for an 'upgrade' of some package on my box. Once I booted to Admin was able to restore my previous profile/accounts
anything is possible - nothing is free
Originally Posted by Blisster
<<<<zips lips>>>>Originally posted by YeOldeStonecat
Anyone fired recently, or otherwise disgruntled employee's still around?
"Nobody's invincible, no plan is foolproof, We all must meet our moment of truth." - Guru
nope.. but the recovery console may have been their way of entry. Wouldn't take much for someone to bring in a CD from home. The whole thing stinks of internal betrayal...Originally posted by cyberskye
Do you use SMS or any other type of remote-installation package?
"Nobody's invincible, no plan is foolproof, We all must meet our moment of truth." - Guru
Wouldn't that require a reboot? The BIOS-lock is still intact?but the recovery console may have been their way of entry
hmm.....I think YOSC is on to something. Maybe he should have his own 80's style cop TV show.
TJ StoneCat?
YeOld Stoned Hooker?
anything is possible - nothing is free
There is definitely something fishy going down.. They won't even let me recover the deleted data.. My boss says not too worry, he's just going to have everyone in the web development team power down when they are not at their PC's and use power-on passwords.
If thats what they think is the solution then I say good luck to them. Don't come crying to me when it continues, b/c thats what will happen if they don't figure out who the culprit is. I know its not me, but I'm sure curious to find out who. Its too easy to open up these machines and reset the password and whomever is doing this is likely to be smart enough to know that. Like many other things that go on around here, they never learn any lessons until the damage is at its greatest..
btw, yes, I'm looking for another job. This place pays really good and I'm probably going to have a very hard time finding this kind of pay with such an awesome schedule elsewhere, but there is absolutely no stability and lots of executive-level backstabbing going on and I have a feeling it may be better to jump ship rather than sink with it., Unfortunately, my wife and I are at a time where we can't afford to take any financial hits, which makes my entire job situation very delicate... All of us in the tech dept are sorta in the same boat. Its very fustrating b/c if all this wasn't going on this job would rock.
"Nobody's invincible, no plan is foolproof, We all must meet our moment of truth." - Guru
I have seen some pretty crazy things on some sites I have arrived at.
You say the system was broken into correct?
Check the ide cables for any sign that they have been tampered with (dust cleared off when you know the case hasn't been opened in a long time, things like this) once he/she has access to the system why bother trying to bypass anything? ... simply unplug the drive, case it on your laptop, replace ... and walk away whistling dixie. I have seen it done (and have done it) in less than a minute.
Obscurity as Security is bad.My boss says not too worry, he's just going to have everyone in the web development team power down when they are not at their PC's and use power-on passwords.
http://www.computerglitch.net"I'm doing a (free) operating system (just a hobby, won't be big and professional...) for AT clones... It's not portable and it probably [won't ever] support anything other than AT hard disks, as thats all I have :-(." --Posted on Usenet August 1991 by Linus Trovalds
curiosity builds security | dd if=/dev/zero of=/dev/hda bs=512 count=100
EOF
LOL...William Shatner, Adrian Zmed, and who was the blonde?Originally posted by cyberskye
TJ StoneCat?
YeOld Stoned Hooker?
You know that system erase utility Compaq has on their Smart Start CD's? Boot from it...totally erase your system, including the RAID tag files on each hard drive (what are they called, "ris" files?)
Couple of years ago, I remember this quick boom .COM place that ran an online ordering site, fired the IT guy, well, that was his revenge.
Oh yeah, the backup hadn't been doing well for a while either.
MORNING WOOD Lumber Company
Guinness for Strength!!!
Originally posted by koldchillah
Like many other things that go on around here, they never learn any lessons until the damage is at its greatest..
my place is like this too. we package refrigerated items for chemo treatment and other things and are main cooler hasnt been working right for 2 months. told managment and they didnt see the problem until yesterday when we ran out of ice. 50 degree ice packs dont count as refrigerated.
i understand how u feel towards ur boss/bosses.
Posting Permissions
Bookmarks