Possible breach

Tutorials Win: Microsoft Windows Forum

Is there a way to see if someone added a user account to our active
directory that dows not show in ADUC?
Top

Re: Possible breach by Paul

Paul
Mon Dec 03 11:05:52 PST 2007

What do you mean doesn't show up in ADUC? If it is a user object within the
name space of AD domain it should show up (Unless of course someone modified
permissions on the object).

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"John" <john@marshallandziolkowski.com> wrote in message
news:uLXy8AcNIHA.484@TK2MSFTNGP06.phx.gbl...
> Is there a way to see if someone added a user account to our active
> directory that dows not show in ADUC?
>


Top

Re: Possible breach by John

John
Mon Dec 03 11:18:02 PST 2007

That's what I am trying to find out. How can I check the permissions if the
object doesn't show. Saw a strange user named "sistem" and I immediently
deactivated that account, and changed the server password. I am looking to
see if any other unusual activity. Anything I should look for?

"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
news:uYzQH%23dNIHA.1168@TK2MSFTNGP02.phx.gbl...
> What do you mean doesn't show up in ADUC? If it is a user object within
> the name space of AD domain it should show up (Unless of course someone
> modified permissions on the object).
>
> --
> Paul Bergson
> MVP - Directory Services
> MCT, MCSE, MCSA, Security+, BS CSci
> 2003, 2000 (Early Achiever), NT
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> "John" <john@marshallandziolkowski.com> wrote in message
> news:uLXy8AcNIHA.484@TK2MSFTNGP06.phx.gbl...
>> Is there a way to see if someone added a user account to our active
>> directory that dows not show in ADUC?
>>
>
>


Top

Re: Possible breach by Paul

Paul
Mon Dec 03 11:36:52 PST 2007

I would find it very unlikely that there is something that hidden if you are
logged on as the domain admin.

Just use the "Saved Queries" and create a query to return all users.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"John" <john@marshallandziolkowski.com> wrote in message
news:u$VM6EeNIHA.5360@TK2MSFTNGP03.phx.gbl...
> That's what I am trying to find out. How can I check the permissions if
> the object doesn't show. Saw a strange user named "sistem" and I
> immediently deactivated that account, and changed the server password. I
> am looking to see if any other unusual activity. Anything I should look
> for?
>
> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
> news:uYzQH%23dNIHA.1168@TK2MSFTNGP02.phx.gbl...
>> What do you mean doesn't show up in ADUC? If it is a user object within
>> the name space of AD domain it should show up (Unless of course someone
>> modified permissions on the object).
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCT, MCSE, MCSA, Security+, BS CSci
>> 2003, 2000 (Early Achiever), NT
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "John" <john@marshallandziolkowski.com> wrote in message
>> news:uLXy8AcNIHA.484@TK2MSFTNGP06.phx.gbl...
>>> Is there a way to see if someone added a user account to our active
>>> directory that dows not show in ADUC?
>>>
>>
>>
>
>


Top

Re: Possible breach by John

John
Mon Dec 03 14:59:25 PST 2007

Thanks.

"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
news:%23QnubPeNIHA.4712@TK2MSFTNGP04.phx.gbl...
>I would find it very unlikely that there is something that hidden if you
>are logged on as the domain admin.
>
> Just use the "Saved Queries" and create a query to return all users.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCT, MCSE, MCSA, Security+, BS CSci
> 2003, 2000 (Early Achiever), NT
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> "John" <john@marshallandziolkowski.com> wrote in message
> news:u$VM6EeNIHA.5360@TK2MSFTNGP03.phx.gbl...
>> That's what I am trying to find out. How can I check the permissions if
>> the object doesn't show. Saw a strange user named "sistem" and I
>> immediently deactivated that account, and changed the server password. I
>> am looking to see if any other unusual activity. Anything I should look
>> for?
>>
>> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
>> news:uYzQH%23dNIHA.1168@TK2MSFTNGP02.phx.gbl...
>>> What do you mean doesn't show up in ADUC? If it is a user object within
>>> the name space of AD domain it should show up (Unless of course someone
>>> modified permissions on the object).
>>>
>>> --
>>> Paul Bergson
>>> MVP - Directory Services
>>> MCT, MCSE, MCSA, Security+, BS CSci
>>> 2003, 2000 (Early Achiever), NT
>>>
>>> http://www.pbbergs.com
>>>
>>> Please no e-mails, any questions should be posted in the NewsGroup
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>>
>>> "John" <john@marshallandziolkowski.com> wrote in message
>>> news:uLXy8AcNIHA.484@TK2MSFTNGP06.phx.gbl...
>>>> Is there a way to see if someone added a user account to our active
>>>> directory that dows not show in ADUC?
>>>>
>>>
>>>
>>
>>
>
>


Top

Re: Possible breach by Ace

Ace
Tue Dec 04 20:47:08 PST 2007

In news:%23YYvsAgNIHA.748@TK2MSFTNGP04.phx.gbl,
John <j.col@verizon.net> typed:
> Thanks.

Do you have an FTP site that may have been compromised? If you found a user
account such as 'sistem,' I would be leary as to think what else may have
been added or compromised, such as an auto-instance of ServU or WarFTP
server installed along with it?


--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

Having difficulty reading or finding responses to your post?
Try using Outlook Express or any other newsreader, configure a news
account, and point it to news.microsoft.com. Anonymous access. It's
easy and it's free:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164



Top

Re: Possible breach by John

John
Wed Dec 05 06:52:04 PST 2007

That is exactly what happened. Don't see anything yet, but keeping a close
eye on it. Any suggestions?
"Ace Fekay [MVP]" <PleaseAskMe@SomeDomain.com> wrote in message
news:%23NDgmnvNIHA.4740@TK2MSFTNGP02.phx.gbl...
> In news:%23YYvsAgNIHA.748@TK2MSFTNGP04.phx.gbl,
> John <j.col@verizon.net> typed:
>> Thanks.
>
> Do you have an FTP site that may have been compromised? If you found a
> user account such as 'sistem,' I would be leary as to think what else may
> have been added or compromised, such as an auto-instance of ServU or
> WarFTP server installed along with it?
>
>
> --
> Regards,
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
> MVP Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> Infinite Diversities in Infinite Combinations
>
> Having difficulty reading or finding responses to your post?
> Try using Outlook Express or any other newsreader, configure a news
> account, and point it to news.microsoft.com. Anonymous access. It's
> easy and it's free:
>
> How to Configure OEx for Internet News
> http://support.microsoft.com/?id=171164
>
>
>


Top

Re: Possible breach by Ace

Ace
Wed Dec 05 21:11:00 PST 2007

In news:ujMrp50NIHA.1208@TK2MSFTNGP05.phx.gbl,
John <john@marshallandziolkowski.com> typed:
> That is exactly what happened. Don't see anything yet, but keeping a
> close eye on it. Any suggestions?

Scan it using a scan tool checking each and every port to see which is
listening. You can also run TCPView to find what ports are open and what
executable is listening. This should tell you what port the FTP server, that
is if it is FTP, is running on. Once you find out, FTP into it on that port
and see what data shows up and search your drive for it. If it's a folder
that you can't delete or find, there are methods to delete them.

Let me know what you find out.

Ace




Top

Re: Possible breach by John

John
Thu Dec 06 14:59:29 PST 2007

Looks like everything is ok for now. I have been running Process Explorer
and TCPView and do not see anything our of the ordinary. In addition, I have
a logon script that tracks logons on our network and places them in a access
database on a remote machine. Again, nothing is showing up that is
suspicious.

Thanks for your help.
"Ace Fekay [MVP]" <PleaseAskMe@SomeDomain.com> wrote in message
news:OL6mmZ8NIHA.5400@TK2MSFTNGP04.phx.gbl...
> In news:ujMrp50NIHA.1208@TK2MSFTNGP05.phx.gbl,
> John <john@marshallandziolkowski.com> typed:
>> That is exactly what happened. Don't see anything yet, but keeping a
>> close eye on it. Any suggestions?
>
> Scan it using a scan tool checking each and every port to see which is
> listening. You can also run TCPView to find what ports are open and what
> executable is listening. This should tell you what port the FTP server,
> that is if it is FTP, is running on. Once you find out, FTP into it on
> that port and see what data shows up and search your drive for it. If it's
> a folder that you can't delete or find, there are methods to delete them.
>
> Let me know what you find out.
>
> Ace
>
>
>
>


Top

Re: Possible breach by Ace

Ace
Thu Dec 06 20:37:02 PST 2007

In news:u2uqquFOIHA.1204@TK2MSFTNGP03.phx.gbl,
John <j.col@verizon.net> typed:
> Looks like everything is ok for now. I have been running Process
> Explorer and TCPView and do not see anything our of the ordinary. In
> addition, I have a logon script that tracks logons on our network and
> places them in a access database on a remote machine. Again, nothing
> is showing up that is suspicious.

Good to hear. At least you now know what to look for. Keep in mind if FTP
access and it's an anonymous connection, it may no show up looking at
logons.

Ace


Top