Try LT Auditor+ at www.bluelance.com.
You should also set up protocol analyzers (w/ filters in place to catch
only login info at first, so you don't overflow, then set to the MAC
address to catch the whole session) to try to obtain the MAC address.
Check to determine which accounts have sufficient rights on the
machines/directories in question. Change passwords, and keep track of who
has access to the new passwords. Keep supervisory access to a minimum.
You can also set up a script to run "userlist /a" on a regular basis and
pipe the output to a file in an attempt to locate the offending MAC
address, time/date, login name and station location.
Set up logging on your dial-in access either via your terminal server (if
it has this ability), and/or a protocol analyzer. Dial-up by a
disgruntled ex-sysadmin is always a prime suspect.
Document what you do, and what you find (date, time, who witnessed, what
you did, what the intruder did, etc) in case you need this for court, if
it comes to that.
Oh, and by the way, check to make sure you haven't set up your
new-fangled tape backup software to "archive" files older than a certain
date. Last time I got called in to check out a situation like this, that
is what the "intruder" turned out to be. :)
On Mon, 6 Apr 1998 rkizer @
> Maybe there's someone who can help me with this problem, since I'm not
> that familiar with Novell.
> We've recently experienced some problems with "someone" getting into
> some of our Novell servers with Admin authority, and deleting system
> files. Novell doesn't have any usable auditing tools, so we've been
> forced out into the market place to try and find something useable.
> Does anyone have any recommendations? Any and all suggestions will
> be most welcome.