Great Circle Associates Firewalls
(April 1998)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Novell Question
From: Rabid Wombat <wombat @ mcfeely . bsfs . org>
Date: Mon, 6 Apr 1998 11:16:00 -0400 (EDT)
To: rkizer @ guten . sddpc . org
Cc: firewalls @ GreatCircle . COM
In-reply-to: <3 . 0 . 3 . 32 . 19980406162938 . 0098ae50 @ guten . sannet . gov>

Try LT Auditor+ at

You should also set up protocol analyzers (w/ filters in place to catch 
only login info at first, so you don't overflow, then set to the MAC 
address to catch the whole session) to try to obtain the MAC address.

Check to determine which accounts have sufficient rights on the 
machines/directories in question. Change passwords, and keep track of who 
has access to the new passwords. Keep supervisory access to a minimum.

You can also set up a script to run "userlist /a" on a regular basis and
pipe the output to a file in an attempt to locate the offending MAC
address, time/date, login name and station location.

Set up logging on your dial-in access either via your terminal server (if 
it has this ability), and/or a protocol analyzer. Dial-up by a 
disgruntled ex-sysadmin is always a prime suspect.

Document what you do, and what you find (date, time, who witnessed, what 
you did, what the intruder did, etc) in case you need this for court, if 
it comes to that.

Oh, and by the way, check to make sure you haven't set up your 
new-fangled tape backup software to "archive" files older than a certain 
date. Last time I got called in to check out a situation like this, that 
is what the "intruder" turned out to be.  :)


On Mon, 6 Apr 1998 rkizer @
 guten .
 sddpc .
 org wrote:

> Maybe there's someone who can help me with this problem, since I'm not
> that familiar with Novell.
> We've recently experienced some problems with "someone" getting into
> some of our Novell servers with Admin authority, and deleting system
> files.  Novell doesn't have any usable auditing tools, so we've been
> forced out into the market place to try and find something useable.
> Does anyone have any recommendations?  Any and all suggestions will
> be most welcome.

Indexed By Date Previous: Re: Novell Question
From: cbrenton <cbrenton @ sover . net>
Next: Ellen M Wesselingh/Netherlands/IBM is out of the office.
From: "CN=D15ML002/OU=15/OU=M/O=IBM @ IBMNL"
Indexed By Thread Previous: Re: Novell Question
From: cbrenton <cbrenton @ sover . net>
Next: Re: Novell Question
From: rcerpa @ adpims . com

Search Internet Search