Disgruntled former employee problem

[Mangoman20]

I'm sure you have all heard this story before...

A mate of mine owns a small business, a key partner left on bad terms and is now occassionally "hacking" in and changing credentials, folder names etc etc.

Firewall is being swapped out shortly as well as all IP addresses & credentials changed.

I am helping them out as the havent found a suitable IT support company.

Was looking for advice from forumites who could impart some tips i.t.o firewalls, intrusion detection, monitoring as well as trying to pick up if there are any future hack attempts.

Any ideas would be appreciated !

If you are not comfortable posting here, please PM me.

 

[syntax]

Its very simple. Use the firewall to fix this problem
Remove his account,
change all RAS account passwords,
review firewall rulebase for suspect rules.

He cannot magically make changes if he cannot get past the firewall and get remote access. Stop this, and he is most likely screwed.

For safe measure, ensure all AD passwords are changed as well.

What firewall is this? What vpn / RAS access do you guys have?

If you need help let me know!

Lastly, he hardly sounds that malicious. There are alot worse things you can do besides messing with permissions and changing folder names

 

[w1z4rd]

You are in Jozi and cant find a decent company to do the work? Are you crazy. Get off your lazy butt and get a professional to resolve this. You simply do not have the skills to sort this out.

 

[unskinnybob]

Very helpful post w1z4rd. You could juggle a couple of suggestions, instead you chose the path of insult. Well done. Fact is, finding an affordible, reliable and credible SME support outsource partner in Gauteng ISN'T as easy as just that.

 

[nivek]

Very helpful post w1z4rd. You could juggle a couple of suggestions, instead you chose the path of insult. Well done. Fact is, finding an affordible, reliable and credible SME support outsource partner in Gauteng ISN'T as easy as just that.

You get what you pay for though

 

[Lounger]

Sort out the underlying problem. Why is he disgruntled? It may be your car next with some nice spraypaint.

 

[syntax]

I forgot to mention,
Create a nice digital paper trail (log everything, ip. user accounts etc), if he tries it again you will have a nice legal course of action to take.
Disgruntled employee's soon stop being a pain once they get threatened with lawful action.

 

[Mangoman20]

All, thanks for the feedback:

@tau1z: Thank you very much for the advice, firewall is in the process of being replaced, any suggestions as to any specific one ? Open source ? Brand name? He hasn't been malicious yet, but has shown intentions of erasing files and corrupting the AD and OS. Where you mention the digital paper trail, what monitoring tool would you suggest for a SBS2003 box to monitor and log activity ? I know the firewall will log all traffic, but looking for something to run on the servers to monitor and log activity on the box.

@w1z4rd: I have been off my lazy butt for the last 48 hours helping this guy. We have looked at various providers. Being a small company, he is limited from a financial perspective but also looking for IT security services and not just regular IT support. Its a difficult combination and a big ask; limited budget, sensitive company in a highly competitive market. I know I don't have the skills, hence me reaching out to you experts in order for me to help them select the correct provider. Any suggestions as to reputable companies would greatly be appreciated. There are many out there both good and bad and having my limited knowledge, I would like to help my mate select the correct provider.

@Nivek: 100%, hence me asking the forum for advice to suggest a legitimate provider and or software.

@Lounger: His "disgruntledness" is also being addressed, the situation between them is currently amicable pending a few settlement agreements.

Thanks guys !!

 

[Major Boredom]

Well to be honest, what you are asking for is not that niche. BUT you do get what you are paying for.
If by limited budget, you mean R0 then yes you will battle to find anyone.
Maybe give us an idea of what his budget looks like and what he is expecting in time spent and what skills he is looking for.

 

[gregmcc]

How do you know he is hacking in? How is he access your systems? Have you managed to trace his IP back to him? If you are 100% sure its him them and want to take legal action you would need to contact a professional who can collect all the evidence correctly and securely should it need to go to court.

He's most likely still accessing the system as the accounts he was using is still active. How is changing the firewall going to help? First thing you need to do is disable all the accounts he is using. If he knows and admin account passwords then you need to change the password as well?

I presume he's accessing your systems from the internet? What remote access do you have?

 

[Tweak]

Very helpful post w1z4rd. You could juggle a couple of suggestions, instead you chose the path of insult. Well done. Fact is, finding an affordible, reliable and credible SME support outsource partner in Gauteng ISN'T as easy as just that.

If only there were people with this many posts 20k that were productive instead of self congratulatory statements. We would've had a very productive forum running here. Good job w1z4rd at being an ass bandit like usually. I find a lot of IT related companies don't always have the most clued up personnel and I wouldn't just allow anyone access to my network and pay them ludicrous amounts of money without knowing whether they are up to the job or not. The only way you could judge them is if you yourself know what needs to be done. This forum isn't for you to gloat about how much you think you know, Your post was total crap and you should consider doing something better with your spare time w1z4rd

You seemed to lost the plot regarding what this forum is about

 

[Venomous]

Sorry, can't see which area you are in (posting from cell)

 

[RSkeens]

This should be a fairly simple situation to resolve. You can consider either locking down or reinstalling everything and then locking down but only do so after you have properly configured the firewall. I would assume this is to be performed by the company you are trying to find within the budget.

Like tau1z has already said, a critically important thing to remember is to record all the access and activity logs - it may not even be who you think it is and will prove invaluable in court.