So the way my department is setup is that everybody logs into their local computer and uses their computer that way, so no domain. (This is how all offices are, not the labs, but the labs aren't an issue right now.) So every once in awhile in the past we would get a machine hacked that was being used as a scanbot, eggdrop, or a dump for warez. All the time in the past it was because the computer was not updated, but just recently I fully updated a computer, and I know it was as secure as all of our other machines. We don't use firewalls besides XP Firewall (I'd like to change that, but not my choice). So of course it could get more secure, but it should be fine granted the user isn't doing anything shady.

So my question is, do any of you install anything on machines to log intrusions or that type of info? I don't want to invade on the users privacy, and I don't want to spy on what he's doing. I just want to spy on what people who are hacking the computer are doing.

So please let me know if you use any logging software.

If you are more interested in the current problem:

The pc was reformated within the last month because it had been turned into a warez dump (It had season 1 of 24 on it along with some other french movies). I never connect pc's to the network until they are fully updated, so I know it didn't get infected during install. We use XP Firewall and Symantec AntiVirus(Which I know has been up to date). The computer was just hacked again on Monday. Today (even though the user was supposed to keep his machine off) I started getting reports (I run a SAV Server) that he had virii (Ilovexp1.exe Ilovexp2.exe etc) in c:\recycler. It all started with detecting SubSeven backdoor on Monday though.

I'm going to reformat the pc again, but the problem is we have static ip's. So as soon as it's back online they can target it again and maybe use the same vulnerability they have in the past since it doesn't seem to be fixed through updates. This also means my other computers are at risk. This is all taking for granted that it's not user error, because he claims he is very safe about using that computer.

I'll have to find out for you what dh's husband's work is using. It was pretty explicit in terms of who/where the intrusions were coming from that they in 3 days have all the info they need to prosecute.

Problem is they are on a domain with local and remote access, but since last week when they were majorly hacked, they have just installed RSA server and RSA remote keys for remote access. I'll see what I can find out.

Really? You have that many problems? I informally admin about 6 or 8 machines here, all XP, all fully patched with symantec AV updated, and I've never had a problem getting hacked into. I've gotten worms on non-updated machines, but never on ones that are updated. Windows firewall is all I use. Static IPs too. But I suppose once a machine gets attacked if it's unpatched, maybe they really keep trying even after you patch it.

I have about 300 machines in my department. I'd say 90% or more all XP sp2. I know for sure this one was fully patched and updated at the time of the hacking. But maybe they took advantage of the windows vulnerabilities right before they came out on tuesday, I'm really not sure.

I'd say we have hack attempts about once a month, sometimes more. I believe the reason ours is more than yours is because we are an edu, so fast connection. We constantly have people portscanning for vulnerabilties. Most of the time they don't get anywhere. Soon I will have the SMS server up and running and then hopefully it goes down to 1 a year. I like repairing the hacked computers though, I find it fun, it's a challenge if they really knew what they were doing. I usually reformat since that's safest, but I still like messing around with them first to see what they've done.

msh11 - thanks for the info, sounds like a very interesting program.

i'm in a .edu domain too, very fast connection. We are being scanned constantly, I've checked. Static IPs, the only firewall is the windows XP one. I'm just interested, because I see lots of computers getting hacked but my impression is they have either (1) no firewall, (2) lack updates to XP, (3) lack updated antivirus software. I'm curious to hear how hackable is a computer that has all 3 of those active and up to date. My impression is that it's very rarely hacked, but I'm interested to hear what other people find.

Oh ok, well then I guess we are in the same situation. Also, not sure if I was clear, but this is the first time I've had a computer hacked that was fully updated. In the past it was always because of the reasons you listed.

But also, like I said, it may be because these guys just took advantage of the MS vulnerabilties right before the updates came out. I don't really know, I haven't looked at the actual computer yet. Hopefully 24 Season2 is on it...

You can try using the Security log built into XP Pro.

To turn on security logging
1. Open Local Security Policy in Administrative Tools
2. In Console Root, select Local Policies, and then click Audit Policy.
3. In the details pane, right-click the attribute or event you want to audit.
4. In Properties, select the options you want, and then click OK.

To set up auditing of files and folders
1. Open Local Security Policy in Administrative Tools
2. In Console Root, select Local Policies, and then click Audit Policy.
3. In the details pane, double-click Audit Object Access.
4. In the Audit object access Properties dialog box, click the options you want, and then click OK.

To specify files and folders to audit (NOTE: Make sure to turn off simple file sharing)
1. In Windows Explorer, right-click the file or folder you want to audit, and then click Properties.
2. On the Security tab, click Advanced.
3. On the Auditing tab, click Add.
4. In the Select User, Computer, or Group dialog box, select the name of the user or group whose actions you want to audit, and then click OK.
5. In the Auditing Entry dialog box, in Access, click Successful, Failed, or both for the actions you want to be audited, and then click OK.

Wow, I didn't even know that existed, thanks Alan.

Cool. Oh, forgot to mention, to view the logs go into Event Viewer, also in Administrative Tools. If you don't turn on security logging the security section will be empty.

GET A ROUTER OR A HARDWARE FIREWALL.

you will always be fighting a losing battle until you get NAT. Why do you need real internet address static IPs on every one of the computers?

That kind of decision needs to be made by the bureaucracy at the university, not locally. Most universities I know have static IPs on all the computers, and only select departments run firewalls (and it has to be approved by the university).

we use a Firebox not cheap, but cost effective vs. the time associated with chasing down problems

Like dewolfxy said, it's not our decision.

As far as the static ip's, I think the departments like to know who has what ip in case there is a problem.

my school has a hardware firewall, yet still gives out real static IP addresses. are you sure that the attacks aren't coming from WITHIN the campus network?

Yes, I logged some ip's previously and they were from a different country.

honestly, your school is hanging you out to dry if they have every one of their computers with static IPs and a free and clear path into the Great Cloud.

every computer ought to at least have a HARDWARE solution of sometype.

Just using the audit is like the school doesn't care if someone stabs you, just make sure you can feel the pain.

It's not every pc on campus, it's just staff pcs. Every department I've been in has been like this, but that is not to say all staff computers are like this, I just assume they are. But all student ip's, dorm pc's, etc are all dynamic.

As far as the firewall, as I said it's out of my hands. However the people who run the networks are very intelligent. If they haven't implemented firewalls there must be a good reason.