Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to track a user ?


  • Please log in to reply
1 reply to this topic

#1 lcm

lcm

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 12 April 2016 - 01:56 AM

Hy !

I have a network with a domain controller and active directory users in one location
Also in other location i have different domain controller and active directory users, There are separate domains

My problem is that i have a person who manages to connect from one location to another

Each location that has domain controller and active directory has a firewall.....it's about fortigate machine.

This person has only user account in active directory. Local accounts of his computer are disable.
On his computer the IP adress is static.Both server and workstations are up to date.

He succeeds using the Internet to connect to other network, using administrator privileges. 
This person makes changes on other computers both locations....normal changes that are made only by the network administrator.

I think it's a virus / trojan undetectable.I would like to know how can I scan servers, services from viruses / trojan undetectable and tracing how this persoon connect. From what I knew so far the user succeed to intervene over the user's session from a different computer without the user's knowledge or realizing and make any changes he wish

.I check the logo failures and I have many attempts to acces administrator account. Location where i fiind it is every computer that i log on as administrator account and primary/ secondary domain controller.

I have a software that i manage my events ....ad audit plus...In my reports says that evet type is failure and failure reason is bad password.. That problem is that at logon time, for example, at this hour 12:33:25, the administrator account is accesed for 44 times....

I think that a sort of trojan horse try to acces my administrator accout to steal my password....

My problem is how i detect this trojan hourse......and how i delete it for permanent. Where I might look for more information ? What shall i do next ?

Any suggestion / feedback / opinion is appreciated...thank you


Edited by hamluis, 12 April 2016 - 12:32 PM.
Moved from MRL to Gen Security - Hamluis.


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,254 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:12:14 AM

Posted 12 April 2016 - 12:30 PM

You have posted same topic on two other forums.

 

I suggest that you heed the suggestion posted at http://forum.thewindowsclub.com/windows-security/37956-how-do-i-solve-domain-controller-2012-standard-active-directory-problem.html .

 

Posting on multiple websites may result in conflicting suggestions/tentative solutions.  We do not wish to contribute to such and respect the suggestions provided by another forum when the same topic is involved.

 

Louis

 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users