Hi All,
Recently I lost my job, which I had for 6 years, because someone accused me
that I destroyed critical data on a Microsoft SB2000 server.
The damage was done on the SQL server data, so the commercial application
was malfunctioning.
The guy who wrote the commercial application (ERP) said that has evidence
showing that the damage was done from me. My poor knowledge of MS SB2000 and
SQL server and the thread that if I refuse the category they will get me in
the court, I forced to accept the category and leave the company that I
worked for 6 years.
Now I have a new better job, but I try to fix again my name and my image of
the 25 year professional work in computer industry
In my trial to prove that I am innocent and I have not damage any data I
need any possible help for the following.
If I can get from any log or other kind of tracing
a -not editable - (read only) information, so I can used it as evidence
Any help is welcome
Evan K
You could try to read the transaction log, if it is still available to you.
From there, with an appropriate tool, you can see who did what. Check, for
example, Lumigent Log Explorer (http://www.lumigent.com/).
Dejan Sarka, SQL Server MVP
Associate Mentor
www.SolidQualityLearning.com
"Evan Kosterolgou" <EvanKosterolgou@.discussions.microsoft.com> wrote in
message news:2C91534F-A527-4BDE-854D-9076CD7035E7@.microsoft.com...
> Hi All,
> Recently I lost my job, which I had for 6 years, because someone accused
me
> that I destroyed critical data on a Microsoft SB2000 server.
> The damage was done on the SQL server data, so the commercial application
> was malfunctioning.
> The guy who wrote the commercial application (ERP) said that has evidence
> showing that the damage was done from me. My poor knowledge of MS SB2000
and
> SQL server and the thread that if I refuse the category they will get me
in
> the court, I forced to accept the category and leave the company that I
> worked for 6 years.
> Now I have a new better job, but I try to fix again my name and my image
of
> the 25 year professional work in computer industry
> In my trial to prove that I am innocent and I have not damage any data I
> need any possible help for the following.
> If I can get from any log or other kind of tracing
> a -not editable - (read only) information, so I can used it as evidence
> Any help is welcome
> Evan K
|||"Evan Kosterolgou" <EvanKosterolgou@.discussions.microsoft.com> wrote in
message news:2C91534F-A527-4BDE-854D-9076CD7035E7@.microsoft.com...
> Hi All,
> Recently I lost my job, which I had for 6 years, because someone accused
> me
> that I destroyed critical data on a Microsoft SB2000 server.
> The damage was done on the SQL server data, so the commercial application
> was malfunctioning.
> The guy who wrote the commercial application (ERP) said that has evidence
> showing that the damage was done from me. My poor knowledge of MS SB2000
> and
> SQL server and the thread that if I refuse the category they will get me
> in
> the court, I forced to accept the category and leave the company that I
> worked for 6 years.
I'm just surprised on how s/he manage to say that you're the culprit.
Anyway, below are just to share my experiences. Believe me, it was a very
painful and grueling process to identify how the server was hacked.
An external hacker hacked into our system, replace a compiled .dll file by
appending 'drop table x'. To cut a long story short, it was because of too
much rights given to one of the directory in the IIS (which has the compiled
VB stored procedure in .dll) because the so called developer just know how
to program ERP systems, but has very minimal knowledge in managing an IIS
server let alone an application server.
There are (many) software (search for vb decompiler) that is able to read
the compiled .dll and de-compile.
Since the hacker overwrite the DLL file with his/her version, the SQL
profiler shows that the command was issued via a valid connection, ie from
someone in the local Intranet. Meaning, everytime someone logs into the ERP
system, the command "drop table x" would be issued.
This can also be confirmed by installing Ethereal network packet analyzer to
analyze the packets in real time.
We got lucky and we manage to pinpoint some files being changed by the so
called hacker. After that discovery it was just a matter of how to prevent
people from writing to the IIS.
However, I'm not sure if the above can be of any use to you and good luck.
(Sorry for my bad english as it is not my first language)
> Now I have a new better job, but I try to fix again my name and my image
> of
> the 25 year professional work in computer industry
> In my trial to prove that I am innocent and I have not damage any data I
> need any possible help for the following.
> If I can get from any log or other kind of tracing
> a -not editable - (read only) information, so I can used it as evidence
> Any help is welcome
Steven Ung
|||Thanks A LOT
"Dejan Sarka" wrote:
> You could try to read the transaction log, if it is still available to you.
> From there, with an appropriate tool, you can see who did what. Check, for
> example, Lumigent Log Explorer (http://www.lumigent.com/).
> --
> Dejan Sarka, SQL Server MVP
> Associate Mentor
> www.SolidQualityLearning.com
> "Evan Kosterolgou" <EvanKosterolgou@.discussions.microsoft.com> wrote in
> message news:2C91534F-A527-4BDE-854D-9076CD7035E7@.microsoft.com...
> me
> and
> in
> of
>
>
|||Thanks Steven
"Steven Ung" wrote:
> "Evan Kosterolgou" <EvanKosterolgou@.discussions.microsoft.com> wrote in
> message news:2C91534F-A527-4BDE-854D-9076CD7035E7@.microsoft.com...
> I'm just surprised on how s/he manage to say that you're the culprit.
> Anyway, below are just to share my experiences. Believe me, it was a very
> painful and grueling process to identify how the server was hacked.
> An external hacker hacked into our system, replace a compiled .dll file by
> appending 'drop table x'. To cut a long story short, it was because of too
> much rights given to one of the directory in the IIS (which has the compiled
> VB stored procedure in .dll) because the so called developer just know how
> to program ERP systems, but has very minimal knowledge in managing an IIS
> server let alone an application server.
> There are (many) software (search for vb decompiler) that is able to read
> the compiled .dll and de-compile.
> Since the hacker overwrite the DLL file with his/her version, the SQL
> profiler shows that the command was issued via a valid connection, ie from
> someone in the local Intranet. Meaning, everytime someone logs into the ERP
> system, the command "drop table x" would be issued.
> This can also be confirmed by installing Ethereal network packet analyzer to
> analyze the packets in real time.
> We got lucky and we manage to pinpoint some files being changed by the so
> called hacker. After that discovery it was just a matter of how to prevent
> people from writing to the IIS.
> However, I'm not sure if the above can be of any use to you and good luck.
> (Sorry for my bad english as it is not my first language)
>
> --
> Steven Ung
>
>
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment