+ 0 Votes I am unfamiliar with the RAS log BUT DanLM 7 years ago I have issues with people trying to ssh into my home machine all the time.... What I look for, after I firewall the pricks is........ Was a successful log in made? With that I have the ip address of the log in. Won't the RAS show you the same? Ie, if an actual successful log in occurred with that use rid??? dan + 0 Votes Mystery Solved dbell 7 years ago I got another call from the user whos name was used. She said that she gave an old laptop to a friend and it still had the vpn connection set up on it. We have her old business laptop but apparently she had a personal laptop that she also used to connect to the system. She says that she deleted all the company documents from that system, but didn't delete the vpn from network connections. She assures me that this has been done now. It seems like we need better sanitization procedures in place for situations like this but this resolution is preferable to unknown hackers attempting to break in. Thanks for all the help and advice. I have a much better idea what to do next time I see suspicious activity. + 0 Votes idealy, you should have a business process in place Neon Samurai 7 years ago The previous posts covered question 1; did they actually get in. You should have some standard idea of step to follow, check logs for successful login, where did the intruder go and what did they touch, how did they get in and how can it be corrected. Ideally, if this is a business, you should have a standard investigation and documentation process setup. It's more responsible for a business to say "someone almost got through, here's what we did to be proactive for next time." Local law should be notified and the remote ISP notified incase the user is a known troublemaker. Even if your going to take the older way of thinking and skip notifying the public or law; document everything and adjust your security settings accordingly. It would also be worth contacting the Hacker Profiling project (sorry, no website link) as they are compiling a database of such attempts. In a home setting, it's more your call. Was the breach big enough to warrent law enforcement? Was it large enough or repeated frequently enough to warrent notifying the registered owner of the IP address or there ISP? Are you better to simply adjust your security to cover the now discovered whole? I had someone banging on my FTP server, in that case, it was more fun to turn my security apps back at them; I always did wonder what the look on there face was when they realized they got profiled by the mark (win2k box in North Korea according my trace). + 0 Votes and a ESM Dr Dij Updated - 7 years ago security mgmt software reads the logs and filters out false positives generally, and shows relations between events you might not realize were connected; it can start incidents and collect all info; they can either shut out the intruder or ask you if you want to. and others are right, procedures should be setup if you're too small a company, there are managed providers who will monitor + 0 Votes Report before you take action sridhar.jayaraman 7 years ago Do not investigate without reporting it. File a report with your senior management and if you have a corporate policy in place, this will be passe on to the authorities. There have been many cases where sys admins have investigated and later the evidence failed to stand up in court since the "state of the system has been altered" and "it is no longer possible to vouch for the integrity of the system", whatever that means. But if you need to raise **** to get this reported, do so. + 0 Votes Proper Proceduers frvr 7 years ago Whether or not this is a business or home use, the proper procedure for you to follow is as listed: 1) notify the abuse address of the ISP with proper documentation of IP address and logs. 2) notify the abuse address that you will be filing a report with both your local authorities and state attorney general. 3) file reports with both your local and state authorities. Since this action originated in Virginia, past experiences that I have had, resulted in immediate investigations especially by the ISP who does not want the "bad" publicity and/or legal actions taken against them. One thing to remember is that although the attack originated in Virgina, this computer might have been compromised and used a zombie for an attack occuring outside the United States. This is why it is imperative that you take these necessary steps, so that all involved can trace the original attempt, and if based in the United States, take appropriate legal action (not necessarily on your part, this might be done by the ISP in compliance with government regulations). + 0 Votes CONTACT LAW ENFORCEMENT BALTHOR 7 years ago You never know you might be seeing the Gestapo or Cosa Nostra. + 0 Votes Come on Stimpi 7 years ago Disable RAS in services change reg policies to null Port scan your self, stuff like that If I had an IP I could find the weeknes J + 0 Votes Don't be silly... packetracer 7 years ago Contacting the authorities will do nothing for you. It used to be that they won't move a finger unless you have suffered at least $5,000 in damage. That may have changed, but... Either way you have to be certain that you've been broken into before you'll get any help from the authorities. You're better off contacting a security company (maybe you have one that you already work with?). They will help you figure out if your servers have been compromised... and will help you prevent a future security problem. As far as the login attempts, there are a few things here that you should have done to mitigate any issues: 1) The user's account should have been disabled as soon as she left the company. You did do that, right? 2) Your RAS server is patched with the latest patches, right? 3) Going back in time through the RAS logs. Ideally you kept at least a month worth of your RAS logs. Not many people do that, but you had the foresight to do that, you can go back to see when did the attempts start. They could have been happening while the employee was still with the company. 4) Firewall logs - all models of the Cisco PIX have logging! You will need to setup a syslog server to start receiving the logs from the PIX. 5) Make sure that your employees pick secure passwords and change them once every few months. Can be done through Group Policy. You can also run free cracking tools to check the strength of current passwords. 6) If possible try to figure out how the ex-employee's user name/password was stollen. Did she always login remotely from her own computer? Let her know that she may have malware/keylogged running on her computer. Hope that helps! + 0 Votes Mystery Solved dbell 7 years ago I got another call from the user whos name was used. She said that she gave an old laptop to a friend and it still had the vpn connection set up on it. We have her old business laptop but apparently she had a personal laptop that she also used to connect to the system. She says that she deleted all the company documents from that system, but didn't delete the vpn from network connections. She assures me that this has been done now. It seems like we need better sanitization procedures in place for situations like this but this resolution is preferable to unknown hackers attempting to break in. Thanks for all the help and advice. I have a much better idea what to do next time I see suspicious activity.