Weird Logins

Discussion in 'Computer Security' started by asdf, Nov 10, 2005.

  1. asdf

    asdf Guest

    one of our users is complaining that someone is loging in to her computer.
    when she leaves she locks her computer but sometimes when she comes back
    it is unlocked. Noone else knows her password. Even if i it was reset
    through active
    directory it would show since then she would know that someone changed it.
    To me that leaves only one option and that is that someone has installed a
    keylogger
    like spector to get her password. System is running Symantec Corporate
    Antivirus 9.1
    but those keylogger have a way of avoiding detection. What are other things
    that could
    be causing this. What are other ways of troubleshooting this problem.

    thanx a million for all the responses.
    asdf, Nov 10, 2005
    #1
    1. Advertising

  2. asdf

    Leythos Guest

    In article <1NDcf.68289$>, says...
    > one of our users is complaining that someone is loging in to her computer.
    > when she leaves she locks her computer but sometimes when she comes back
    > it is unlocked. Noone else knows her password. Even if i it was reset
    > through active
    > directory it would show since then she would know that someone changed it.
    > To me that leaves only one option and that is that someone has installed a
    > keylogger
    > like spector to get her password. System is running Symantec Corporate
    > Antivirus 9.1
    > but those keylogger have a way of avoiding detection. What are other things
    > that could
    > be causing this. What are other ways of troubleshooting this problem.
    >
    > thanx a million for all the responses.


    How about someone using the LOCAL logins that you forgot to disable or
    that you didn't use a strong password on?

    9.1 should detect a keylogger if you have expanded threats turned on.

    Check the local user accounts and disable all except administrator, and
    change the local administrator password.

    --
    --

    (Remove 999 to reply to me)
    Leythos, Nov 10, 2005
    #2
    1. Advertising

  3. asdf

    asdf Guest

    thank you for replying.
    as i mentioned however, the person claims that someone unlocks her
    computer not just logs into it with their own account. If she is correct
    in her claims someone manages to get her password.

    I'll give that 'expanded threats' suggestion a shot though.

    thank you
    "Leythos" <> wrote in message
    news:...
    > In article <1NDcf.68289$>, says...
    > > one of our users is complaining that someone is loging in to her

    computer.
    > > when she leaves she locks her computer but sometimes when she comes back
    > > it is unlocked. Noone else knows her password. Even if i it was reset
    > > through active
    > > directory it would show since then she would know that someone changed

    it.
    > > To me that leaves only one option and that is that someone has installed

    a
    > > keylogger
    > > like spector to get her password. System is running Symantec Corporate
    > > Antivirus 9.1
    > > but those keylogger have a way of avoiding detection. What are other

    things
    > > that could
    > > be causing this. What are other ways of troubleshooting this problem.
    > >
    > > thanx a million for all the responses.

    >
    > How about someone using the LOCAL logins that you forgot to disable or
    > that you didn't use a strong password on?
    >
    > 9.1 should detect a keylogger if you have expanded threats turned on.
    >
    > Check the local user accounts and disable all except administrator, and
    > change the local administrator password.
    >
    > --
    > --
    >
    > (Remove 999 to reply to me)
    asdf, Nov 10, 2005
    #3
  4. asdf

    Charlie Tame Guest

    Hmm, you said "One of our" so I guess this is a company network.

    Maybe you have thought of this but it's not a case of someone using Remote
    Desktop is it? I know this is a 2000 group but as people move to XP I
    figured the question worth asking, just in case it is XP on that machine.
    (You can easily install the RDP client on 2000 by copying msts something
    ..exe into system 32 and the dll that goes with it.so you can't rely on the
    fact that 2000 doesn't come with it for protection. The client will work on
    95 up :)

    Just a thought,

    Charlie


    "asdf" <> wrote in message
    news:ktGcf.68307$...
    > thank you for replying.
    > as i mentioned however, the person claims that someone unlocks her
    > computer not just logs into it with their own account. If she is correct
    > in her claims someone manages to get her password.
    >
    > I'll give that 'expanded threats' suggestion a shot though.
    >
    > thank you
    > "Leythos" <> wrote in message
    > news:...
    >> In article <1NDcf.68289$>, says...
    >> > one of our users is complaining that someone is loging in to her

    > computer.
    >> > when she leaves she locks her computer but sometimes when she comes
    >> > back
    >> > it is unlocked. Noone else knows her password. Even if i it was reset
    >> > through active
    >> > directory it would show since then she would know that someone changed

    > it.
    >> > To me that leaves only one option and that is that someone has
    >> > installed

    > a
    >> > keylogger
    >> > like spector to get her password. System is running Symantec Corporate
    >> > Antivirus 9.1
    >> > but those keylogger have a way of avoiding detection. What are other

    > things
    >> > that could
    >> > be causing this. What are other ways of troubleshooting this problem.
    >> >
    >> > thanx a million for all the responses.

    >>
    >> How about someone using the LOCAL logins that you forgot to disable or
    >> that you didn't use a strong password on?
    >>
    >> 9.1 should detect a keylogger if you have expanded threats turned on.
    >>
    >> Check the local user accounts and disable all except administrator, and
    >> change the local administrator password.
    >>
    >> --
    >> --
    >>
    >> (Remove 999 to reply to me)

    >
    >
    Charlie Tame, Nov 10, 2005
    #4
  5. asdf

    Donnie Guest

    "asdf" <> wrote in message
    news:ktGcf.68307$...
    > thank you for replying.
    > as i mentioned however, the person claims that someone unlocks her
    > computer not just logs into it with their own account. If she is correct
    > in her claims someone manages to get her password.
    >
    > I'll give that 'expanded threats' suggestion a shot though.
    >

    #################################
    Until you can find the trojan, create a BIOS passwd and let her shutdown
    when she leaves.
    Look in the registry for the trojan. The first place is
    HKLM
    Software
    Microsoft
    Windows
    CurrentVersion
    Run
    Donnie, Nov 10, 2005
    #5
  6. asdf

    nemo_outis Guest

    "asdf" <> wrote in news:1NDcf.68289$:

    > one of our users is complaining that someone is loging in to her
    > computer. when she leaves she locks her computer but sometimes when
    > she comes back it is unlocked. Noone else knows her password. Even if
    > i it was reset through active
    > directory it would show since then she would know that someone changed
    > it. To me that leaves only one option and that is that someone has
    > installed a keylogger
    > like spector to get her password. System is running Symantec Corporate
    > Antivirus 9.1
    > but those keylogger have a way of avoiding detection. What are other
    > things that could
    > be causing this. What are other ways of troubleshooting this problem.
    >
    > thanx a million for all the responses.
    >
    >



    You don't say which version of Micropsoft Windows -on some the keyboard
    lock can be bypasssed and awakened by inserting, for instance, a CD (if
    autorun is enabled).

    Regards,
    nemo_outis, Nov 10, 2005
    #6
  7. Enable auditing of logon events on her computer in Local Security Policy and
    then view logon entries in the security log to see what is going on and
    proceed from there. The events will have a logon type and a timestamp. Type
    7 shows the computer was unlocked. Make sure you reset her password ASAP
    and you may need to do a clean install of the operating system. --- Steve

    http://www.windowsecurity.com/articles/Logon-Types.html

    "asdf" <> wrote in message
    news:1NDcf.68289$...
    > one of our users is complaining that someone is loging in to her computer.
    > when she leaves she locks her computer but sometimes when she comes back
    > it is unlocked. Noone else knows her password. Even if i it was reset
    > through active
    > directory it would show since then she would know that someone changed it.
    > To me that leaves only one option and that is that someone has installed a
    > keylogger
    > like spector to get her password. System is running Symantec Corporate
    > Antivirus 9.1
    > but those keylogger have a way of avoiding detection. What are other
    > things
    > that could
    > be causing this. What are other ways of troubleshooting this problem.
    >
    > thanx a million for all the responses.
    >
    >
    Steven L Umbach, Nov 10, 2005
    #7
  8. asdf

    asdf Guest

    she is already changing her pass once a week.
    thats why i think that it's a keylogger or similar.


    "Steven L Umbach" <> wrote in message
    news:...
    > Enable auditing of logon events on her computer in Local Security Policy

    and
    > then view logon entries in the security log to see what is going on and
    > proceed from there. The events will have a logon type and a timestamp.

    Type
    > 7 shows the computer was unlocked. Make sure you reset her password ASAP
    > and you may need to do a clean install of the operating system. ---

    Steve
    >
    > http://www.windowsecurity.com/articles/Logon-Types.html
    >
    > "asdf" <> wrote in message
    > news:1NDcf.68289$...
    > > one of our users is complaining that someone is loging in to her

    computer.
    > > when she leaves she locks her computer but sometimes when she comes back
    > > it is unlocked. Noone else knows her password. Even if i it was reset
    > > through active
    > > directory it would show since then she would know that someone changed

    it.
    > > To me that leaves only one option and that is that someone has installed

    a
    > > keylogger
    > > like spector to get her password. System is running Symantec Corporate
    > > Antivirus 9.1
    > > but those keylogger have a way of avoiding detection. What are other
    > > things
    > > that could
    > > be causing this. What are other ways of troubleshooting this problem.
    > >
    > > thanx a million for all the responses.
    > >
    > >

    >
    >
    asdf, Nov 10, 2005
    #8
  9. asdf

    winged Guest

    asdf wrote:
    > she is already changing her pass once a week.
    > thats why i think that it's a keylogger or similar.
    >
    >
    > "Steven L Umbach" <> wrote in message
    > news:...
    >
    >>Enable auditing of logon events on her computer in Local Security Policy

    >
    > and
    >
    >>then view logon entries in the security log to see what is going on and
    >>proceed from there. The events will have a logon type and a timestamp.

    >
    > Type
    >
    >>7 shows the computer was unlocked. Make sure you reset her password ASAP
    >>and you may need to do a clean install of the operating system. ---

    >
    > Steve
    >
    >>http://www.windowsecurity.com/articles/Logon-Types.html
    >>
    >>"asdf" <> wrote in message
    >>news:1NDcf.68289$...
    >>
    >>>one of our users is complaining that someone is loging in to her

    >
    > computer.
    >
    >>>when she leaves she locks her computer but sometimes when she comes back
    >>>it is unlocked. Noone else knows her password. Even if i it was reset
    >>>through active
    >>>directory it would show since then she would know that someone changed

    >
    > it.
    >
    >>>To me that leaves only one option and that is that someone has installed

    >
    > a
    >
    >>>keylogger
    >>>like spector to get her password. System is running Symantec Corporate
    >>>Antivirus 9.1
    >>>but those keylogger have a way of avoiding detection. What are other
    >>>things
    >>>that could
    >>>be causing this. What are other ways of troubleshooting this problem.
    >>>
    >>>thanx a million for all the responses.
    >>>
    >>>

    >>
    >>

    >
    >

    You can spend hours running this to ground. You should check to see if
    the system has a rootkit via system internals rootkitrevealer
    http://www.sysinternals.com/Utilities/RootkitRevealer.html

    You should do as previously suggested and turn on full logging, and
    reveiw the logs. You should examine the system for alternate data
    streams and examine communications. Stick a sniffer in the closet and
    record everything and have user contact you immediately at the next
    instance.

    Use process explorer to examine all processes and the children procs who
    kicked them off. Look for ADS files.

    Network system passwords could be their entry point or local machine
    logins that for example belong to your help desk.

    Truthfully you can spend hours looking for a replaced DLL and validating
    that all is copacetic. There are a number of shortcuts and some good
    scripts you can use to collect system information along with looking for
    the known culprits. Some toolkits can be found here:
    http://www.forensics.nl/toolkits


    Another consideration that must be considered is no one is involved and
    the user is creating excuse that someone is deleting my files, usually
    the day some deadline is due. It often happens to the same user
    repeatedly. Either way this has to be documented for management and
    reported if this is occurring.

    The recommendation to re-image the system is not a bad suggestion,
    depends a bit on the criticality/sensitivity of the information the user
    is processing.

    Inside network abuse is the majority (80%) of all hacks occurring on
    corporate networks. You have many facets that have to be examined and I
    have no idea what network rules exist in your environment. In our
    network all of our clients have the same base image with some users with
    unique software requirements having additional software. We don't allow
    users to install their favorite screen saver (they must live with
    generics) nor are they allowed to download or install software of any
    type on their system without going through the security manager and sys
    admin. The more you deviate from the above the more difficult it will
    be to determine what is going on.

    Good Luck, these are the pains that must be looked at but have many
    potential answers. Without knowing your working environment, I am not
    sure what more advice to provide.

    Winged
    winged, Nov 15, 2005
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rob Nicholson
    Replies:
    2
    Views:
    612
    Rob Nicholson
    Nov 29, 2005
  2. Jason
    Replies:
    2
    Views:
    659
    Jason
    Apr 28, 2004
  3. Matt
    Replies:
    1
    Views:
    363
    Chris
    May 21, 2004
  4. Pavlov
    Replies:
    0
    Views:
    578
    Pavlov
    Nov 23, 2004
  5. Leonard Martin
    Replies:
    0
    Views:
    426
    Leonard Martin
    Dec 5, 2005
Loading...

Share This Page