Printable View
One of our highschools were hacked. 2 kids finally found a way around our network. apperantly, the had full access to the ENTIRE domain, had a few virsus ready. The school tech caught them, but not sure how much damage was done before they were caught. Now I have the luxury of the principal at my school asking me to try to figure out how they got access to our entire domain. I dont even know where to start.
Interogation of the culprits would be the first step. Read them the riot act, quote the Computer Misuse Act etc etc.
I hope that those caught are being suitably punished.
holy sh!t!
Wonder if they've got hold of priviledged account details somehow
What network was this? NT? 2000? 2003!? :!: :o
The details are pretty sketchy. From what I have been told, The one kid somehow got admin level rights, then gave his friend the same level of rights, and away they went. We just went to 2003 server roughly last year. The cops were call yesterday, so they're being charged, but thats about all the info I know. As of right now, all the techs are being left in the dark about this whole situtation. I dont even think that many techs know about this. I only know because the principal here is friends with the principal at the school that it happened. So only know of what he has told me.
You dont wish it on anyone, its one of the worse things that can happen!
I read somewhere majority of hacking is caused by people leaving machines logged on!! or someone knowing credentials of admin account.
I always try and check my admin groups members every so often, as if they go undetected could simply use to gain infromation rather than damage.
From the damage done you can normally track back to specific times etc, perhaps look at when files were deleted then you can tell how login was acheived from event logs etc.
I take it you share the domain accross multiple sites ? Or have i miss understood? If so may be worth looking at creating sub domains and keep trusts between them, may limit damage.
good luck!
First things to do depend on whether you want to contain any possible problem or search for the entry point.
If you want to contain any problem and ock things down then what you need to do is to check any group with admin level access ... change passwords of all admin accounts on a machine known to be clean of viruses, trojans and so on.
Then start looking at machines known to be logged on to by staff with admin level access. Check for key logging software. Ensure all your AV software is up to date. Get a trial of enterprise level anti-spyware software to run a clean of all machines.
I know of one school that was worried about similar after a former tech left under a cloud and they had a few strange things happening. They asked Securus for a 2 week trial and put the old admin password (and a few other bit) in the monitor list to see if anyone was trying to log on with admin level accounts. They caught a few students, who had been given information by a friend of the former tech, trying to change a number of things ... and then they didn't bother with Securus after that, but it did the job :-)
If the students have been charged then it is likely that the police (and someone at the school) has information about what was being done. Even if it means the Techies find out that they drop a ball somewhere it is important to get the information and clean house.
With what ? [ just out of interest ]Quote:
The cops were call yesterday, so they're being charged,
How old were the kids ?
I would hope with violating the Computer Misuse Act.
Yeah, if I read the Computer Misuse Act right, they could get up to 15 years :D .
up to 5 for attempting to get access
up to 5 for unauthorised modification of data
up to 5 for setting it up so they can get further access.
For each time they got in!!
Articles under the same act tend to run consecutively for offences that carry up to 5 years or £3000 fines ... it is up to the sentencing judge and depending on the age this is very unlikely.
Shame really ...
They will more likely just get a slap on the rist, aka. an official caution. Unless they have a preior criminal record that is.
What sort of punishment will fall on the manager who is overall responsible for the network to start with..... ?
Of course - said Tongue In Cheek.... :-)
Meh. I had access to the admin account when I was at school. And my friend did. We didn't have an ICT Technician at the time, the network was run by the ICT Teacher/Head of ICT and he never found out that we knew the password. It was an RM network and the admin account had some cool controls such as remote control of other networked PCs which we used reguarly to scare people (we used to randomly eject their CD drives and laugh in the corner as they became highly confused).
We never attempted to damage the network in any way though. I wasn't -that- immature.
The only reason we knew the password was because on the RM network they had installed, there was two admin accounts (administrator and admin2). The head of ICT used the administrator account with his own password, but even though he knew about the admin2 account, he never changed it from its default password, which, ironically was "removed". My friend and I of course found out about it and we had full admin rights for over two years. The head of ICT obviously believed in security though obscurity.
[ password removed - just in case, plus used in a few things ;) - tarquel ]
so it's a standard thing from RM to have "removed" then? Successmaker has it as default as well
[ edited for the reason above - tarquel ]
I pay the students for information.. an couple of pound here and there goes a long way...Quote:
Originally Posted by Gambit
They grass up hackers, hacker tricks and rogue teacher passwords :-)