User being hacked/stalked?

[mickmel]

At the place where I work, a very confidential document was found on our copier. The only person that should have had access to that document (via e-mail) never had printed it out, and certainly never copied it.

At this point, we think someone was in her e-mail (Outlook). Our research has led us to her Event Viewer, which has a LOT of entries in the "security" area for:

Category: "Logon/Logoff" and some for "Privledge Use"
User: "Guest"
Computer: Her computer name

Our first thought was maybe our web-based e-mail. We had another user pull that up from a different PC, and an entry similar to the one above was created. However, a full search of the web server showed that this was the ONLY time her e-mail was accessed via the web in the past few weeks.

This user is at her desk pretty much from 8:30-5:00. Between about 4-5 is when a lot of the guest entries show up in her event viewer.

Any clues what is going on?

 

[Harvey]

If it isn't in house, look for spyware, especially a keystroke logger. If you find one, and the machine was on, it could have sent the info out in the background, rather than someone accessing her machine.

 

[mickmel]

Originally posted by: Harvey
If it isn't in house, look for spyware, especially a keystroke logger.

It very well might be in house. Since the remote mail logon showed up in her event viewer, I'm wondering what else might show up in there. We have hundreds of PCs, and since the confidential document was left on a printer, it almost has to be in house.

What other kinds of things can trigger those logon/logoff events that she's seeing? And what is a "Privledge Use"?

 

[TG2]

*Guest* accounts should be disabled !

Why is it enabled on her PC?

 

[RebateMonger]

Are the computers all part of a Windows Domain? I assume this User's computer isn't since there are entries in the Local Security Event Log. When joined to a Domain, the Local Security Log is typically empty.

What's your email server? Exchange? With Exchange, even the Domain Administrator can't access User's email without modifying the Security settings.

 

[mickmel]

Are the computers all part of a Windows Domain?

Novell.

What's your email server? Exchange?

Exchange.

Like I said before, we thought someone had been accessing her mail via the Exchange Web interface, as those items appear to show up in her local security event log - but I don't know why they would, since that activity isn't "local" to that PC at all. Of course, we found the web logs on the Exchange server that showed all of the remote mail accesses, and ruled that out.

Now we're just trying to figure out what all of those guest logon/logoff entries mean, since they happen while she's sitting at her desk.

 

[nweaver]

windows XP Home tries to use the "guest" account for simple file sharing. I would look for rogue shares

 

[RebateMonger]

Originally posted by: mickmel
Now we're just trying to figure out what all of those guest logon/logoff entries mean, since they happen while she's sitting at her desk.

Does she have folders on her PC that are shared with others? When Simple File Sharing is enabled in XP, remote users always authentiicate as the Guest account. When you are on a Windows Domain, Simple File Sharing is automatically disabled, but outside of a Domain, most users use Simple File Sharing.

Edit: Whoops. Nweaver beat my answer by one minute.

 

[mickmel]

Originally posted by: nweaver
windows XP Home tries to use the "guest" account for simple file sharing. I would look for rogue shares

She had one empty shared folder, which may account for some of this. Thanks for the suggestion.

Also, I found a log that you can turn on in Windows Firewall, so we've enabled that to see what happens.