It's good that he got it running (it's easy enough with physical
access), but your friend should probably plan for a rebuild in the near
future, or at least a comprehensive audit against the systems. If the
ex-admin deleted accounts and changed passwords (which, btw, will land
him in jail if the company follows through with it as they should) then
you have no idea what else he's done to compromise the DC or any other
system he has access to. It's probably too late to depend on any
forensic information to build a case against any additional damages
(since your friend has already stepped on the file system and AD) - but
who knows, a plea bargain including reparation for expenses could cover
the costs for them.
Bottom line is that the integrity of the install is compromised, and
you'll have no effective way of determining what level of trojans,
rootkits, malware, etc he has in place given his obvious propensity for
criminal behavior. Leaving things "as is" and moving forward could be a
mistake.
t
-----Original Message-----
From: Justin@ESC [mailto:justin@escracing.com]
Sent: Wednesday, November 28, 2007 5:12 AM
To: bugtraq@securityfocus.com
Subject: Re: Win2K3 Priv Escalation
Thanks for all the replies, he got himself in, and they should be
contacting local authorities or at least a lawyer today. It's a
manufacturing company and for some reason 2 of the key services were
ran
under a user acct that once had admin permissions, without the
administrative rights it wouldn't run and it couldn't be switched over
to a system service because no one had rights to do so. A days worth
of
work down the drain, gotta love rogue employees is all i can say.
Thanks again :)
