It's good that he got it running (it's easy enough with physical access), but your friend should probably plan for a rebuild in the near future, or at least a comprehensive audit against the systems. If the ex-admin deleted accounts and changed passwords (which, btw, will land him in jail if the company follows through with it as they should) then you have no idea what else he's done to compromise the DC or any other system he has access to. It's probably too late to depend on any forensic information to build a case against any additional damages (since your friend has already stepped on the file system and AD) - but who knows, a plea bargain including reparation for expenses could cover the costs for them. Bottom line is that the integrity of the install is compromised, and you'll have no effective way of determining what level of trojans, rootkits, malware, etc he has in place given his obvious propensity for criminal behavior. Leaving things "as is" and moving forward could be a mistake. t > -----Original Message----- > From: Justin@ESC [mailto:justin@xxxxxxxxxxxxx] > Sent: Wednesday, November 28, 2007 5:12 AM > To: bugtraq@xxxxxxxxxxxxxxxxx > Subject: Re: Win2K3 Priv Escalation > > > Thanks for all the replies, he got himself in, and they should be > contacting local authorities or at least a lawyer today. It's a > manufacturing company and for some reason 2 of the key services were > ran > under a user acct that once had admin permissions, without the > administrative rights it wouldn't run and it couldn't be switched over > to a system service because no one had rights to do so. A days worth of > work down the drain, gotta love rogue employees is all i can say. > > Thanks again :)
