Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Weird Logins

Reply
Thread Tools

Weird Logins

 
 
asdf
Guest
Posts: n/a
 
      11-10-2005
one of our users is complaining that someone is loging in to her computer.
when she leaves she locks her computer but sometimes when she comes back
it is unlocked. Noone else knows her password. Even if i it was reset
through active
directory it would show since then she would know that someone changed it.
To me that leaves only one option and that is that someone has installed a
keylogger
like spector to get her password. System is running Symantec Corporate
Antivirus 9.1
but those keylogger have a way of avoiding detection. What are other things
that could
be causing this. What are other ways of troubleshooting this problem.

thanx a million for all the responses.


 
Reply With Quote
 
 
 
 
Leythos
Guest
Posts: n/a
 
      11-10-2005
In article <1NDcf.68289$(E-Mail Removed)>, http://www.velocityreviews.com/forums/(E-Mail Removed) says...
> one of our users is complaining that someone is loging in to her computer.
> when she leaves she locks her computer but sometimes when she comes back
> it is unlocked. Noone else knows her password. Even if i it was reset
> through active
> directory it would show since then she would know that someone changed it.
> To me that leaves only one option and that is that someone has installed a
> keylogger
> like spector to get her password. System is running Symantec Corporate
> Antivirus 9.1
> but those keylogger have a way of avoiding detection. What are other things
> that could
> be causing this. What are other ways of troubleshooting this problem.
>
> thanx a million for all the responses.


How about someone using the LOCAL logins that you forgot to disable or
that you didn't use a strong password on?

9.1 should detect a keylogger if you have expanded threats turned on.

Check the local user accounts and disable all except administrator, and
change the local administrator password.

--
--
(E-Mail Removed)
(Remove 999 to reply to me)
 
Reply With Quote
 
 
 
 
asdf
Guest
Posts: n/a
 
      11-10-2005
thank you for replying.
as i mentioned however, the person claims that someone unlocks her
computer not just logs into it with their own account. If she is correct
in her claims someone manages to get her password.

I'll give that 'expanded threats' suggestion a shot though.

thank you
"Leythos" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In article <1NDcf.68289$(E-Mail Removed)>, (E-Mail Removed) says...
> > one of our users is complaining that someone is loging in to her

computer.
> > when she leaves she locks her computer but sometimes when she comes back
> > it is unlocked. Noone else knows her password. Even if i it was reset
> > through active
> > directory it would show since then she would know that someone changed

it.
> > To me that leaves only one option and that is that someone has installed

a
> > keylogger
> > like spector to get her password. System is running Symantec Corporate
> > Antivirus 9.1
> > but those keylogger have a way of avoiding detection. What are other

things
> > that could
> > be causing this. What are other ways of troubleshooting this problem.
> >
> > thanx a million for all the responses.

>
> How about someone using the LOCAL logins that you forgot to disable or
> that you didn't use a strong password on?
>
> 9.1 should detect a keylogger if you have expanded threats turned on.
>
> Check the local user accounts and disable all except administrator, and
> change the local administrator password.
>
> --
> --
> (E-Mail Removed)
> (Remove 999 to reply to me)



 
Reply With Quote
 
Charlie Tame
Guest
Posts: n/a
 
      11-10-2005
Hmm, you said "One of our" so I guess this is a company network.

Maybe you have thought of this but it's not a case of someone using Remote
Desktop is it? I know this is a 2000 group but as people move to XP I
figured the question worth asking, just in case it is XP on that machine.
(You can easily install the RDP client on 2000 by copying msts something
..exe into system 32 and the dll that goes with it.so you can't rely on the
fact that 2000 doesn't come with it for protection. The client will work on
95 up

Just a thought,

Charlie


"asdf" <(E-Mail Removed)> wrote in message
news:ktGcf.68307$(E-Mail Removed)...
> thank you for replying.
> as i mentioned however, the person claims that someone unlocks her
> computer not just logs into it with their own account. If she is correct
> in her claims someone manages to get her password.
>
> I'll give that 'expanded threats' suggestion a shot though.
>
> thank you
> "Leythos" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> In article <1NDcf.68289$(E-Mail Removed)>, (E-Mail Removed) says...
>> > one of our users is complaining that someone is loging in to her

> computer.
>> > when she leaves she locks her computer but sometimes when she comes
>> > back
>> > it is unlocked. Noone else knows her password. Even if i it was reset
>> > through active
>> > directory it would show since then she would know that someone changed

> it.
>> > To me that leaves only one option and that is that someone has
>> > installed

> a
>> > keylogger
>> > like spector to get her password. System is running Symantec Corporate
>> > Antivirus 9.1
>> > but those keylogger have a way of avoiding detection. What are other

> things
>> > that could
>> > be causing this. What are other ways of troubleshooting this problem.
>> >
>> > thanx a million for all the responses.

>>
>> How about someone using the LOCAL logins that you forgot to disable or
>> that you didn't use a strong password on?
>>
>> 9.1 should detect a keylogger if you have expanded threats turned on.
>>
>> Check the local user accounts and disable all except administrator, and
>> change the local administrator password.
>>
>> --
>> --
>> (E-Mail Removed)
>> (Remove 999 to reply to me)

>
>



 
Reply With Quote
 
Donnie
Guest
Posts: n/a
 
      11-10-2005

"asdf" <(E-Mail Removed)> wrote in message
news:ktGcf.68307$(E-Mail Removed)...
> thank you for replying.
> as i mentioned however, the person claims that someone unlocks her
> computer not just logs into it with their own account. If she is correct
> in her claims someone manages to get her password.
>
> I'll give that 'expanded threats' suggestion a shot though.
>

#################################
Until you can find the trojan, create a BIOS passwd and let her shutdown
when she leaves.
Look in the registry for the trojan. The first place is
HKLM
Software
Microsoft
Windows
CurrentVersion
Run


 
Reply With Quote
 
nemo_outis
Guest
Posts: n/a
 
      11-10-2005
"asdf" <(E-Mail Removed)> wrote in news:1NDcf.68289$(E-Mail Removed):

> one of our users is complaining that someone is loging in to her
> computer. when she leaves she locks her computer but sometimes when
> she comes back it is unlocked. Noone else knows her password. Even if
> i it was reset through active
> directory it would show since then she would know that someone changed
> it. To me that leaves only one option and that is that someone has
> installed a keylogger
> like spector to get her password. System is running Symantec Corporate
> Antivirus 9.1
> but those keylogger have a way of avoiding detection. What are other
> things that could
> be causing this. What are other ways of troubleshooting this problem.
>
> thanx a million for all the responses.
>
>



You don't say which version of Micropsoft Windows -on some the keyboard
lock can be bypasssed and awakened by inserting, for instance, a CD (if
autorun is enabled).

Regards,


 
Reply With Quote
 
Steven L Umbach
Guest
Posts: n/a
 
      11-10-2005
Enable auditing of logon events on her computer in Local Security Policy and
then view logon entries in the security log to see what is going on and
proceed from there. The events will have a logon type and a timestamp. Type
7 shows the computer was unlocked. Make sure you reset her password ASAP
and you may need to do a clean install of the operating system. --- Steve

http://www.windowsecurity.com/articles/Logon-Types.html

"asdf" <(E-Mail Removed)> wrote in message
news:1NDcf.68289$(E-Mail Removed)...
> one of our users is complaining that someone is loging in to her computer.
> when she leaves she locks her computer but sometimes when she comes back
> it is unlocked. Noone else knows her password. Even if i it was reset
> through active
> directory it would show since then she would know that someone changed it.
> To me that leaves only one option and that is that someone has installed a
> keylogger
> like spector to get her password. System is running Symantec Corporate
> Antivirus 9.1
> but those keylogger have a way of avoiding detection. What are other
> things
> that could
> be causing this. What are other ways of troubleshooting this problem.
>
> thanx a million for all the responses.
>
>



 
Reply With Quote
 
asdf
Guest
Posts: n/a
 
      11-10-2005
she is already changing her pass once a week.
thats why i think that it's a keylogger or similar.


"Steven L Umbach" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Enable auditing of logon events on her computer in Local Security Policy

and
> then view logon entries in the security log to see what is going on and
> proceed from there. The events will have a logon type and a timestamp.

Type
> 7 shows the computer was unlocked. Make sure you reset her password ASAP
> and you may need to do a clean install of the operating system. ---

Steve
>
> http://www.windowsecurity.com/articles/Logon-Types.html
>
> "asdf" <(E-Mail Removed)> wrote in message
> news:1NDcf.68289$(E-Mail Removed)...
> > one of our users is complaining that someone is loging in to her

computer.
> > when she leaves she locks her computer but sometimes when she comes back
> > it is unlocked. Noone else knows her password. Even if i it was reset
> > through active
> > directory it would show since then she would know that someone changed

it.
> > To me that leaves only one option and that is that someone has installed

a
> > keylogger
> > like spector to get her password. System is running Symantec Corporate
> > Antivirus 9.1
> > but those keylogger have a way of avoiding detection. What are other
> > things
> > that could
> > be causing this. What are other ways of troubleshooting this problem.
> >
> > thanx a million for all the responses.
> >
> >

>
>



 
Reply With Quote
 
winged
Guest
Posts: n/a
 
      11-15-2005
asdf wrote:
> she is already changing her pass once a week.
> thats why i think that it's a keylogger or similar.
>
>
> "Steven L Umbach" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>
>>Enable auditing of logon events on her computer in Local Security Policy

>
> and
>
>>then view logon entries in the security log to see what is going on and
>>proceed from there. The events will have a logon type and a timestamp.

>
> Type
>
>>7 shows the computer was unlocked. Make sure you reset her password ASAP
>>and you may need to do a clean install of the operating system. ---

>
> Steve
>
>>http://www.windowsecurity.com/articles/Logon-Types.html
>>
>>"asdf" <(E-Mail Removed)> wrote in message
>>news:1NDcf.68289$(E-Mail Removed)...
>>
>>>one of our users is complaining that someone is loging in to her

>
> computer.
>
>>>when she leaves she locks her computer but sometimes when she comes back
>>>it is unlocked. Noone else knows her password. Even if i it was reset
>>>through active
>>>directory it would show since then she would know that someone changed

>
> it.
>
>>>To me that leaves only one option and that is that someone has installed

>
> a
>
>>>keylogger
>>>like spector to get her password. System is running Symantec Corporate
>>>Antivirus 9.1
>>>but those keylogger have a way of avoiding detection. What are other
>>>things
>>>that could
>>>be causing this. What are other ways of troubleshooting this problem.
>>>
>>>thanx a million for all the responses.
>>>
>>>

>>
>>

>
>

You can spend hours running this to ground. You should check to see if
the system has a rootkit via system internals rootkitrevealer
http://www.sysinternals.com/Utilitie...tRevealer.html

You should do as previously suggested and turn on full logging, and
reveiw the logs. You should examine the system for alternate data
streams and examine communications. Stick a sniffer in the closet and
record everything and have user contact you immediately at the next
instance.

Use process explorer to examine all processes and the children procs who
kicked them off. Look for ADS files.

Network system passwords could be their entry point or local machine
logins that for example belong to your help desk.

Truthfully you can spend hours looking for a replaced DLL and validating
that all is copacetic. There are a number of shortcuts and some good
scripts you can use to collect system information along with looking for
the known culprits. Some toolkits can be found here:
http://www.forensics.nl/toolkits


Another consideration that must be considered is no one is involved and
the user is creating excuse that someone is deleting my files, usually
the day some deadline is due. It often happens to the same user
repeatedly. Either way this has to be documented for management and
reported if this is occurring.

The recommendation to re-image the system is not a bad suggestion,
depends a bit on the criticality/sensitivity of the information the user
is processing.

Inside network abuse is the majority (80%) of all hacks occurring on
corporate networks. You have many facets that have to be examined and I
have no idea what network rules exist in your environment. In our
network all of our clients have the same base image with some users with
unique software requirements having additional software. We don't allow
users to install their favorite screen saver (they must live with
generics) nor are they allowed to download or install software of any
type on their system without going through the security manager and sys
admin. The more you deviate from the above the more difficult it will
be to determine what is going on.

Good Luck, these are the pains that must be looked at but have many
potential answers. Without knowing your working environment, I am not
sure what more advice to provide.

Winged
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SQL Server 2000 question: What's the relationship between users and logins Leonard Martin MCSD 0 12-05-2005 09:15 PM
Wireless link not established until user logins on Windows 2000 Server Rob Nicholson Wireless Networking 2 11-29-2005 07:16 PM
AS5300: Preventing multiple logins of the same account Pavlov Cisco 0 11-23-2004 04:39 PM
Disallowing Logins to Routers Matt Cisco 1 05-21-2004 03:55 PM
Does PIX 515, Version 6.3.1 Support simultaneous logins? Jason Cisco 2 04-28-2004 07:21 PM



Advertisments