You can't change your IP address in any way that would prevent this person from intruding again. If you run any servers that people from the Internet need to access, then you would need to change your DNS records to the new IP and then the attacker only has to lookup your DNS address again and he has your new IP...

If you're not using NAT right now (translate external IP addresses into internal IP addresses), then you could could configure NAT to "hide" your internal IPs, but again if people need to get to those systems from outside (such as your website, and e-mail server) then you would need to forward the ports through the firewall to them, so again you aren't really protecting much...

If the previous administrator left backdoors, anything you do on the firewall is likely futile any way because that's most likely where some backdoors are. You're going to have to start from scratch with a new firewall. You could use the old iptables script as a reference for what ports may need to be opened, but remember the old guy probably left some ports wide open so he could gain access, so you'll need to audit each IP and port to make sure there's actually a required application running there that people really need to access from the Internet. You'll have to check with your application team to know what those services are.

Speaking of applications, there's a good chance there are some backdoors in some of the applications you guys are running, and they are probably accessible from the Internet (and may need to stay that way), so not only can you not trust your firewall, but all your network-enabled applications are suspect as well. You and/or the application team will need to audit each one to make sure there aren't any hidden accounts or access methods. Start with the webservers as they're the most likely to contain entry points.

Oh yeah, and press charges against the previous admin. Hopefully you've made copies of the effected hard disk drives and sealed them in tamper-evident containers, labeled with the machine they came out of, the date they were copied, and the person who made the copies. You can use these as evidence in a criminal case.

Yes,he has backdoor/s or/and trojan/s,maybe a worm/s,spyware/s and maybe a virus or two.
What is anti_all_of_that software saying,if you used one?
Two things I will say;
1.You must think like he does if you want to fix your problem/s
2.Suggest your boss to make a switch from Window$ to Linux if he doesn't need Window$ for the business he is into(backup,delete and install Linux).Much less problems then,of course,if you're willing to learn something about Linux.

Hmm... great fun. Aside from the firewall, who knows what's been installed on each WinDuhs computer. Need to do a full audit of users as well - could be a huge list of 'admin' people with remote access and the guy can log into the WinDuhs computers as he wishes. Change of password on WinDuhs machines? No problem - that's what keyloggers are for.

Hi Everyone,

Thank YOU!

This is going to be a long day at work, but you have all given me enough to work with here, so that I won't be buying the Sunday classifieds!!! (hope )

I'll let you know how this plays out.

Michelle (in a mess)

Well, have fun.

To be safe, reinstall all windows machines and software; transfer data etc. Otherwise you have no guarantee that the goon isn't continuing to tamper with your systems and data.

It would be nice to have an intrusion expert gather evidence and prosecute the bum, but it may be far more valuable and even cheaper for the business just to get things under control.

That's ridiculous. If a previous admin installed back doors, it's just as easy on Linux as any other OS. Presumably you're going to have an admin who knows how to administer the OS your company uses (otherwise what's the point?), so having Linux vs. Windows isn't going to make it any less likely that the next pissed off employee will leave holes for there self.

Rolling out a brand new OS is not an effective way of dealing with a security incident. Are you as familiar with the new OS as the previous one? If not, you're creating more security problems. The less you know about a particular OS, the more an attacker has the upper hand.

Opinions like this don't serve anyone well. a) They don't help the person seeking advice, and b) they don't make you look smart (for suggesting Linux), but rather foolish (for making a bad suggestion in this context).

Security is far less about what platform you use, and far more about how effectively you can secure said platform.

Well,that's ridiculous and offending and it wasn't necessary to be like that but if you wanted to look smart then you should've think before you replied.
First,If I remember correctly and I do,new admin is the lady who is asking for our help here,so if she knew what has to be done then none of the pissed off employees wouldn't be able to do anything dangerous to the company,now and in the future,and if she would do that on the Linux system than security of the company's network would be on a higher level then if the same was done on Window$,for many reasons.Linux is in his roots much more secure than Window$.
Second,the person who penetrated company's network obviously is more skilled than OP in computer security and he had free access to everything on the network since he was the admin,so he was able to set things the way he wanted before he wasn't an employee anymore.With all that in mind,my suggestion about changing the OS instead of wasting who knows how many days on discovering what has to be done and doing so on the Linux forum when the network which is compromised is Window$ network and because company is/will be suffering maybe a great losses is more than reasonable because then the network would be operational instantly and far more secured then it was before because of the reasons I mentioned earlier.Basic Linux administration isn't hard to learn,so I belive that they would be just fine.Creating backdoors on the Linux system is much more copmlex than on Window$ and even if an attacker would be able to place one on the Linux system he couldn't do anything because that's what Linux is.Only stupid admin's behavior could cause a damage and if there is a good configured firewall and if admin is aware of services that are enabled to run and on which ports,then network would be secure.
I love Linux and it's my right to recommend it to anyone if I think that it would be better thing to do so in specific situation and I will not do so because I think that than I will look smart then because it's better OS than any other I know and because I am using it for years and because I want more people to start using it and because I know what I'm talking about.I could have started talking to OP about WANs,NAT,firewalls,open/closed ports,DNSs,gateways,routers,servers,clients,protocols and so on to help her solve her problem,but I've made it simple;I've told her to install Linux and you know what,it's not a bad advice at all.

The boss needs to hire a consultant who is expert with the OS involved for a few days.

This consultant can clean up the network, eliminate any possible backdoors, and make sure security is properly in place and configured. The consultant can also provide some training to OP in order to ensure that OP has the tools to maintain the network going forward.

If this is a business situation, and the network is compromised, the boss had better be willing to spend the money.

With all due respect to Michelle, that's probably the correct answer in this case.

@Michelle: Hit the books and/or get yourself to Linux training. (I personally recommend Red Hat's RHCT and RHCE tracks; I'm not affiliated with or paid by RH, either.) If you expect to be able to do this job, please get yourself up to speed. If your company will not support such endeavors, then there is likely a larger problem...

Although extreme, this is a far better idea than converting users from what they know to something they don't, ie from windows to linux.

It all depends on how Michelle's boss feels. If he is comfortable with just replacing the firewall, and changing everyone's passwords, then she is in good shape.

If the boss is still concerned, she can recommend reinstalling windows on user machines. Depending on the number of workstations, and the customization, this could be a lot of work, but it would be hitting the "big reset button", getting everything back to a known state. As a new employee, I would be more comfortable managing systems I installed, versus figuring out what someone else did.

Most of this is pure hyperbole, and you totally ignored my point that the safest OS is the one that the administrator knows the most about. If you switch to a new OS that you know nothing about, how are you going to secure it? Who's going to do this person's job, you? Across an Internet forum? Want to give your mobile number so she can call you with questions in the middle of the night?

The firewall is already on Linux, so the previous IT person obviously had experience with that, and they were able to penetrate the network despite it. Changing to Linux isn't going to make it any harder for the previous person to attack, they already know that OS too. Nothing is gained.

That's relative. If all your training is on Windows, and you suddenly switch to administer a Linux system, it certainly is hard.

Again, total hyperbole. Just because that's what everyone on Slashdot says doesn't make it true.

Thank you for proving my point exactly. The most secure operating system is the one that you personally know best how to configure.

Just because you have an opinion doesn't make it right, and just because you think everyone should use Linux doesn't make it so. I personally think unicycles are really nice, they don't pollute the air, and they're fun to ride. I'm not going to tell everyone I meet that they should ride a unicycle to work instead of driving, because that's not the right way to solve pollution problems. If I used your approach, every time someone complained about traffic I'd tell them to throw away their car and get a unicycle.

And giving practical advice would have been the right thing to do, since understanding all these things is necessary no matter what operating system you're using.

Actually that's horrible advice. Not only does it not solve the immediate problem, but it creates a bunch of new ones (such as "how do I do this simple task that I knew how to do on the old system, but I have no idea how to do now?").

You can't just look at a problem, install Linux over top of it, wipe your hands and be done. You still have to know how networking works, you still have to know about application security, and you still have to know how to audit for problems.

I'm not bashing Linux. Over the last 10 years, 3 out of the 4 companies I've worked at have shipped products based on Linux and right this second I'm responsible for administering about a dozen systems running Linux, but I've also worked in the security industry for a long time and I've been in a whole lot more data centers than you have. Linux is not the right solution for every problem, just like Windows is not the right solution for every problem, just like Solaris is not right for every problem.

I've seen my share of very solid networks, and my share of scary ones. Some of the best networks I have worked with have been primarily Windows, and some of the worst have been Linux. It all depends on the skill of the operators and what they're familiar with.

So next time, please take a second to think about whether you're actually solving more problems than you cause, and whether your advice is appropriate for the situation. For instance, what if all the company's web applications are written with .NET and run on IIS? How are they going to run them on Linux? What if those web applications talk to some custom software that only runs on Windows? You didn't bother to find any of that out, you just told the OP to install Linux on everything. That's not helpful.

For the OP: The consultant idea is a very good one. If your network had and intrusion and you aren't trained for incident response, the best way to address the issue quickly and thorough would be to contract and outside expert.

To the OP:

Listen to Chort. Ignore alan_ri. You'll wind up much further ahead.

And, IMNSHO, the consultant is far and away the best way for your company to go right now. Substantially the cheapest in the long run, and will give you the quickest results.

alan_ri is getting owned because of his zealousness. Come on man, in a situation like this, you gotta keep your ardor at bay and be more objective.

That's pretty devious, and clever... I just glimpsed over some info about cron today in an O'Rielly book.

I don't know why I felt compelled to use up more diskspace with this useless comment... but.. here goes!

x.D

Not to mention the worlds bandwidth, a couple of bytes here and a couple more there, they all add up wasting resources and energy and ultimately polluting the environment. I'm just adding to it, aren't I?