i need to know if there is an app out there that will allow me to track all
movements of remote users who connect to my server, I got me a hacker who
has now come in to the server 3 times, and started renaming files and links.
I have no idea how he is getting in, and want to close what ever door he is
using to get in.

any tips and advice will be of great help.

plus, i need to see what shares are running on my pc? is there a way i can
check this out too? so i can close those off. including the $ipc hidden
share.

junkmail wrote:
He/she is probably getting in through your Administrator account: you're
running a server of some sort (eg. FTP).

Make sure ALL your passwords contain unique letters AND numerals.

"junkmail" <junk.mail@imjunk.com> writes:

Do you wanna play sherlock holmes, or do you want to fix the issue?
If the latter: Unplug the machine from the net, format, and reinstall
from original media. Apply all updates from behind a firewall.
Recreate user accounts with all new passwords.

Best Regards,
--
Todd H.
http://www.toddh.net/

i hate to say this, but, i have done this 2 times now,

not only that, i usually change the password 1once a week. this has not
stopped him. he was back again last night. grrrr..


"Todd H." <comphelp@toddh.net> wrote in message
news:841wtjyjx9.fsf@ripco.com...

here is the steps i took so far.

1. click on 'Start' button the 'Settings' then 'Control
Panel' option.
2. double click on the 'Administrative Tools' icon - see new window.
3. click 'Computer Management' icon - see Computer Management program.
4. click on the + box next to 'Shared Folders' icon on the left.
5. click on the 'Shares' option - see list of shares - the C$, D$ and Admin$
shares are standard and should be OK.
6. double click on one of the listed shares - see the '(folder name)
Properties' dialog.
7. click on the 'Sharing Permissions' tab - see list of permitted users.

8) removed all shares. (was notified they will return on reboot though) i
will see if this stops him.
had alot of shares open.
"junkmail" <junk.mail@imjunk.com> wrote in message
news:GARlg.8455$lf4.7165@newsread1.news.pas.earthl ink.net...

"junkmail" <junk.mail@imjunk.com> wrote:

If he's getting in, then there's no software in the world that will
help you. If he has access he can stop that software, edit its logs, or
whatever.

You need to do two things:

1. Immediately nuke the server installation and rebuild it from scratch.
God knows what's been changed. You can't trust even the simplest of
commands or most harmless appearing software now.

2. Use your router/gateway or some other "off machine" method to do your
logging and sniffing so the intruder has no opportunity to erase his
tracks.

get a freaking router!

Rick Merrill wrote:
Why? He doesn't need any routing.

Just guessing, but it sounds like a possible inside job.

Could also be a backdoor in 3rd party software.

moncho
"junkmail" <junk.mail@imjunk.com> wrote in message
news6Ylg.8641$o4.4256@newsread2.news.pas.earthli nk.net...

"junkmail" <junk.mail@imjunk.com> writes:
Got any budget money? Get an incident management professional in
there to find out what the hell is going on.

What's the network architecture, how many folks have LAN access to get
to the ports on the win box? There's a lot of 0day out there that was
just recently fixed, and perhaps more that hasn't.

You may want to look into implementing a network based intrusion
detection system (nIDS) like snort (snort.org) at your network border
that might give you a clue as to where this may be coming from. If
the threat is from inside the firewall, some host based IDS may be in
order, but if the individual is quickly rooting your server, tha thost
based IDS will be disabled in short order.

Have you reviewed the logs on the server to try to construct a
timeline? What are the symptoms that have led you to the "hacked"
conclusion.

SEC504: Hacker Techniques, Exploits & Incident Handling (GCIH)
http://sans.org/
might be a timely course as well.

--
Todd H.
http://www.toddh.net/

ok, here is what i did, I locked down the server setup a kelogger, and ran a
bootstrap logger.

i left, when i came back, i found out it was an inside job.

my 9 and 10 year olds. They were on the net., found a windows recovery cd
that can be burnt to cd. and booted, Via linux, from there they rebooted my
server using the cd, and then created admin accounts, form there, they
logged in with that, renamed everything and then logged out, from there they
rebooted the system deleted the admin logs and normal logs.

when i discovered this, i confronted them, and they laughed and said, aww
man we got busted.

problem solved. they are grounded, and no more computers for a month.

thanks for the guy who smelled the inside job. that was it.

just to let you know , i had 2 routers, 3 firewalls. and an anti imcp ping
filter. so i was flabbergasted as to how they were getting in.

"junkmail" <junk.mail@imjunk.com> wrote in message
news:B7hmg.9284$lp.1435@newsread3.news.pas.earthli nk.net...
Dude, I feel for ya.

You were easier on them than I would have been.

I would have broken them in multiple pieces :-}

It all depends on whether there is important data that was getting sent
somewhere.

I will admit though, they gave you a perfect reason for a disaster recovery
plan.

Glad you found the problem.

late
moncho

Sebastian Gottschalk wrote:
A router closes the ports that are not being used - which is one way
that hackers get access to your computer.

Rick Merrill wrote:
Utter nonsense.

Even more bullshit.

And why should someone use a router for such a job?

"Sebastian Gottschalk" <seppi@seppig.de> wrote in message
news:4g2s4nF1k7bdkU1@news.dfncis.de...
That is true, but!! you can use a router to port forward. like outsite port
80 to inside port 67450 etc.

but closing ports via a router, cant happen. firewalls close ports. not
routers.

a router does not stop or even slow down hackers.

a fire wall will slow them down. but not stop a determined hacker.

junkmail wrote:

Firewalls don't close ports either. They restrict port access. Ports are
closed by deactivating the service or the client. Better re-read RFC 793.

Hm... a serious firewall will reliably deny outside access to an inside
service. If that's the only way of compromise, you really made it there.

Anyway, denying access to accidentially misconfigured services can also
be done a simple packet filter on the host itself. No need for putting
any additional device there.

Sebastian Gottschalk wrote:

You do not know what you are talking about. Ploink!

Rick Merrill wrote:

Ha ha ha.

It's no disgraced to be ignored by an idiot. :-)