I'm getting the blame for hacking

[Morbius]

Hi everyone,

I have Tiscali broadband and have had it for a few months now. I work in a school as an IT technician so I have access to the server and all PCs there. One of the things we have is Cisco VPN so teachers can take their laptops home, connect securely through the Internet back into the school network.

The other day, someone used a VPN, got onto a server and started maliciously deleting accounts. The security team became involved and it has been traced back to MY home broadband. How can this be?

Is it possible someone has used my broadband username and password and logged into their router as me from another property and it's linked the IP address as belonging to me?

Could someone have VPN'd in from somewhere else and somehow spoofed my IP address?

My wireless has wep encryption - not strong, I know but they would still have needed the VPN client, no?

I found that my router had remote access enabled so could someone have come in from outside, accessed my PC and VPN'd in from there?

Whoever's done it has hacked the servers at the school and it's all pointing back to my IP address ! I am in big trouble right now.

Please Help !

[godcronos]

Morbius, a lot is involved when something like that happens!
First the "crackers" need to know your public IP address.Secondly, if they hacked into your computer it's probably that you are running some exploitable service, unsecure service( no or poor authentication, or whatever) or your computer's security just sucks! I'd say check your pc for spyware, viruses, etc.If you are running Windows and know little about security, learn how to do a basic pentesting on your home network. You are part of a community that teaches you how to do stuff like that, spend some time reading and reading some more.
If you get stuck, people here are cool, and with smart questions you will get smart answers.
Check your computer's logs for intrusions, learn how to use a firewall( i like Zonealarm, there's a free version out there). Keep in mind that security comes at a price!
Does your home IP address matches the one in their logs? Go to canyouseeme.org to find out what your IP address is and then tell them that you want to see the logs yourself, before you believe it, if they refuse, they are pulling your leg, or whatever...

This can be a long post, so I'll stop here.If you cover the above, you should have at least a basic knowledge of what's going on and know for sure what happend. If you find that someone hacked into your computer, save the log, do a print screen of the page, whatever it takes to save your a$$.
You can't have 2 identical public IP addresses on the Internet. Your IP would have needed to be "offline" for that person to use your public IP. I read something about this some time ago.

Also, your router's remote management, it's only to control the router remotely, not your computer. Ohh, and use a stronger password for everything.

Good luck!

[streaker69]

I cannot believe that you're using WEP on your wireless. The policy here is that any machine that is going to be taken home and used on a wireless network there must be running WPA2 AES encryption. For you to be using WEP is just plain stupid. If the user here cannot support the minimum requirement then they must use LAN and not Wifi.

Security is done through layers, and your first layer was effectively a broken screen door.

[godcronos]

Some more advice:
- don't save your VPN password in the Cisco utility
- don't use WEP( Streaker69 is right)

Also, for someone to start deleting accounts, he must have known a lot about that network. Where the servers are(IPs,etc), the admin password, network security, etc.
Well, maybe he did it from a different IP ( studying the network) and then logged in as you, when he did the damage. I'd say it's possible. You are the weakest link, you should not have VPN rights anymore. Now, there is a question in my mind: why you? It could have been anyone. Also, for your job title, you should not have administrator rights, it's too much! Blame it on the network admin, for being gullible or not working with security in mind and giving you too much server access. Don't want to be mean to you, but somewhere it those words, you will see a grain of truth.

Someone, somehow got your passwords(broadband, VPN, domain admin, remote management). That's a lot of work, for one purpose, to just delete some accounts. I'd make sure to "own" and maintain network access. They can't do this in one day, or one night, unless general security on that network suuuucks! So, your network was targeted!

I'd change all the passwords at this point to something way more secure, and start thinking like the criminal. You do want to keep your job, right!
Pentesting, some paranoia, work together with the security team to find out how; you might learn something about yourself and security. It's a start.
Showing that you are willing to find out how it happened, will show them that you are probably innocent and not knowledgeable enough to do something like that.
Alright, that is all!
Let me know what the result is. I am curious now!

[lupin]

Is it possible someone has used my broadband username and password and logged into their router as me from another property and it's linked the IP address as belonging to me?

Your ISP should have a record of this if it happened, but I dont think its the explanation for this issue, as the attacker still would have needed your VPN credentials. How did the schools security guys link the IP Address to you? Did they get the Police involved, have them obtain a warrant and then obtained your name and location from the ISP, or did they just check the VPN connection logs and match your VPN username to your IP address?

Could someone have VPN'd in from somewhere else and somehow spoofed my IP address?

Is it a Cisco IPSec VPN or a SSL VPN? Spoofing like this is really not likely with IPSec. Probably not with SSL either. Its pretty hard to hold a two way conversation using a spoofed address without some decent network access somewhere between the destination host and the spoofed system.

My wireless has wep encryption - not strong, I know but they would still have needed the VPN client, no?

The client they could probably get from elsewhere, they would have needed the VPN connection file from your system however. In this case I think WEP would only have been a potential problem if your wireless network was used as a means to obtain local networked access to your PC by the attacker. This would have required reasonable physical proximity of the attacker to your home during the period of the attack. Cracking WEP alone wouldn't have helped anyone to access your VPN.

I found that my router had remote access enabled so could someone have come in from outside, accessed my PC and VPN'd in from there?

Yep. Or they could have used one of the many available methods that exist to hack a PC and they could have planted a backdoor to allow them to use your PC for accessing the VPN.

Or the attackers modified the logs that the security guys are using as evidence of your guilt. This kind of attack seems very much like the work of a teenage computer vandal to me, or of someone deliberately trying to set you up, or of someone trying to cover up a mistake by pointing blame in your direction. A serious attacker would have not done something so attention getting as deleting accounts unless they needed to do it to cover up something else - most likely they would have gone in, got what they were after and left with no one being the wiser.

Or there is some other explanation.

Whoever's done it has hacked the servers at the school and it's all pointing back to my IP address ! I am in big trouble right now.

Please Help !

Not that much we can do to help you. Get a good lawyer. Have your PC examined for signs of intrusion.

[Morbius]

Thanks you two for replying.

I guess security is pretty poor generally. The laptops the teachers use have Cisco VPN client installed. All the teacher does is open the client, click connect, enter their username and password,a couple of clicks and they are connected.

I am suspended and all I've been told is that an admin account has been used to VPN in and it's been traced back to my IP address. I don't know when or how many times this has happened.

From time to time, in the past, I've bought some of these laptops home myself, usually to work on them and they've had broken AVs and several trojans. Foolishly, I've left them on and connected by an ethernet cable, sometimes over the weekend.

I think, if I was me, I'd sack me for being so negligent.

Would the MAC address of the machine that VPN'd in be listed in their logs somewhere - because if it's a MAC address that doesn't belong to any of these machines then that's maybe a start?

Your ISP should have a record of this if it happened, but I dont think its the explanation for this issue, as the attacker still would have needed your VPN credentials. How did the schools security guys link the IP Address to you? Did they get the Police involved, have them obtain a warrant and then obtained your name and location from the ISP, or did they just check the VPN connection logs and match your VPN username to your IP address?

Neither, I think. From what I can gather, it wasn't my account that was used but another admin account that no-one was aware of. I think they found the source IP and the ISP (Tiscali) provided my name as the owner of that IP.

Is it a Cisco IPSec VPN or a SSL VPN? Spoofing like this is really not likely with IPSec. Probably not with SSL either. Its pretty hard to hold a two way conversation using a spoofed address without some decent network access somewhere between the destination host and the spoofed system.

It's Cisco VPN installed on all staff laptops. Any account in AD can be used to get on the school network. I'm told it happened to be a domain admin account which presumably then RDPd on to a server.

I'm not sure which laptop has been targeted because they come and go, most have been re-imaged. Would their logs tell them the machine's MAC address or would it only be the MAC address of my router.

You see, I'm not being given much to go on as I'm the number 1 suspect right now.

[fancy]

Would their logs tell them the machine's MAC address or would it only be the MAC address of my router.

NO! No MAC address at all will show up in their logs. Just if you had a layer 2 connection, but here it is not the case. I'm sure they only have the IP address. As lupin suggested, the best you can do is get a good lawyer and have your PC examined for signs of intrusion.

[streaker69]

Thanks you two for replying.

I guess security is pretty poor generally. The laptops the teachers use have Cisco VPN client installed. All the teacher does is open the client, click connect, enter their username and password,a couple of clicks and they are connected.

I am suspended and all I've been told is that an admin account has been used to VPN in and it's been traced back to my IP address. I don't know when or how many times this has happened.

From time to time, in the past, I've bought some of these laptops home myself, usually to work on them and they've had broken AVs and several trojans. Foolishly, I've left them on and connected by an ethernet cable, sometimes over the weekend.

I think, if I was me, I'd sack me for being so negligent.

Would the MAC address of the machine that VPN'd in be listed in their logs somewhere - because if it's a MAC address that doesn't belong to any of these machines then that's maybe a start?



Neither, I think. From what I can gather, it wasn't my account that was used but another admin account that no-one was aware of. I think they found the source IP and the ISP (Tiscali) provided my name as the owner of that IP.



It's Cisco VPN installed on all staff laptops. Any account in AD can be used to get on the school network. I'm told it happened to be a domain admin account which presumably then RDPd on to a server.

I'm not sure which laptop has been targeted because they come and go, most have been re-imaged. Would their logs tell them the machine's MAC address or would it only be the MAC address of my router.

You see, I'm not being given much to go on as I'm the number 1 suspect right now.

I think you need to sit back and seriously think about the mistakes you made there. You should have never been taking infected machines home to work on. Once a machine suspected of being infected, it should have never been allowed to connect to the network. The drive should have been pulled from the machine and at a minimum scanned and cleaned, without the OS being booted up.

The best practice for such machines would be to pull the drive, write an image of it using Ghost, and reinstall the machine fresh. Then using Ghost Explorer pull any data out of the image and restore it back to the machine.

Today's trojans and such are nothing to be fooled around with on a production network, once it is suspected a machine has been compromised it should be quarantined and not put back onto the network until it has been verified clean.

[Morbius]

How does an ISP give out the owner of an IP address? Does that mean they have involved the police? I'm half expecting them at my door any day now.

Like I said, any evidence is back in the school right now. The PC I'm using now is clean and I have turned wifi off. There's nothing to find here - I don't know if that's good or bad.

My head's in a spin. I feel physically sick.

[Goldhedge]

How does an ISP give out the owner of an IP address? Does that mean they have involved the police? I'm half expecting them at my door any day now.

Like I said, any evidence is back in the school right now. The PC I'm using now is clean and I have turned wifi off. There's nothing to find here - I don't know if that's good or bad.

My head's in a spin. I feel physically sick.

Sit down and document all that you can before speaking to anyone. If you have nothing to hide, then there's nothing to fear and you should welcome the opportunity to aid in the investigation.

If you have something to hide, then call a lawyer.