RE: Tracking a (potential) abuser?

From: William Grossman (wgrossmanat_private)
Date: Fri Feb 07 2003 - 04:41:55 PST

Next message: sr000at_private: "Re: Tracking a (potential) abuser?"

Previous message: Ralph Los: "RE: Tracking a (potential) abuser?"
In reply to: Ralph Los: "Tracking a (potential) abuser?"
Next in thread: sr000at_private: "Re: Tracking a (potential) abuser?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The way I would handle the situation is as follows.  
    
      I would reset the permissions on the student's folder to the way
that you found them.  Leaving them changed can give you away easily.
Secondly I would find out as much background info on the user as
possible (i.e. which computer labs or workstations do they generally use
and when do they use them).  Unless the person is stupid you are
probably dealing with a stolen account.  Once you have the background
info you can start to cross reference the security logs.  Make sure that
you have logon success/failures audited.  Each day export the log file
to a text file and do a keyword search on the username in question.
Keep track of any suspicious login times or places for that user.  If
you can narrow it down to a couple of workstations then you can start
with key loggers and other fun stuff.
     Next at the same time I changed the logon setting in auditing I
would also make sure that I turned on auditing for reading/writing file
attributes and for deleting any folders.  After you finish with keyword
searches for usernames, then I would do a few more for folder deletions
and attribute changes.  Weed out legitimate uses and investigate the
rest.  If you get some more user ids then you can use the same technique
as above.
     Now do another keyword search of the logs for administrator logins.
Find out who has access to the administrator passwords and where they
log in. Verify every single administrator login.  If you get a login
from an unexpected workstation then throw on a key logger.
     Finally I'm not sure if Internet abuse is one of your concerns if
it is make sure that the school has a proxy server and that that is the
only way to access the internet.  You will spend a good amount of time
going over the logs of that to look for suspicious behavior.

William B. Grossman           
Network Administrator         




-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: sr000at_private: "Re: Tracking a (potential) abuser?"
Previous message: Ralph Los: "RE: Tracking a (potential) abuser?"
In reply to: Ralph Los: "Tracking a (potential) abuser?"
Next in thread: sr000at_private: "Re: Tracking a (potential) abuser?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Feb 08 2003 - 15:11:12 PST