BrandiniMP

So basically, i go to Zenos Watford, and recently some weird shit has been happening.

The main thing that happened was computers were suddenly unlocking themselves and stuff was getting moved/removed and permissions were getting messed with and file ownerships were getting messed with.

I brought this to my tutors attention when i realized the SYSTEM account had been used to clean the Security Event Log on a couple of machines.

In addition to this, i had been hosting a local web server (WAMP) and all of a sudden, my NTFS permissions and ownerships were messed with (permissions all removed and owner set to Unidentified), then the services were disabled in the services console.

This was all a bit weird, at first i guessed it might have been a virus, however the fact that it disabled my web server perfectly, amongst other stuff was weird, so i guessed it might have been someone internal.

However nobody at the academys knowledge spans far enough to do this.

I decided to investigate further, so i brought in some port scanning and packet logging tools and began work.

Some weird stuff was coming up, my friends computer was receiving TCP data from my computer, but i was not actually sending anything, there were port scans coming from what seemed to be the domain controller (i could tell because my firewall, which i also brought it was telling me that a bunch of connections were being blocked, and when i looked they were all the same ip (the DC) and the ports were just incrementing).

The types of data i received weren't always packaged for my ip, there was alot of multicast traffic, and data coming from places that didn't exist, ip ranges that i knew were not assigned and even devices identifying themselves as printers that didn't exist.

So there is some weird shit going down, in addition to my efforts to find the problem, i wasn't given enough time to look through the data, my memory stick was confiscated for analysis by the tech dept. and i was suspended till further notice along with my friend who was helping me with the analysis.

So the moral here is, don't try and help Zenos with their own poor security.

Christ, the router was accessible via the Guest account on the router, in the web interface and the telnet, and i could easily gain access to any mac addresses i that i might have wanted to spoof if i was the hacker, also the primary terminal servers were publicly accessible (not including login) but since they can be reached from within a sub-domain, it just shows their security isn't up to par.

Why am i targeted as the culprit? because i know alot about this shit, im one of the top in the class, and i took the initiative to investigate and find information for the tech dept.

at the end of the day, if i hadn't have flagged this up, there would probs have been even more damage.

has anyone experienced any weird technical issues like described above?

WhistleBlower

Zenos is incredibly insecure, you made one mistake though telling them they are like the Nazi SS.

If the Zenos IT Department actually could do IT perhaps this wouldn't be a problem but 99.9% of them received their training from Zenos themselves so there skills really only include that of Health and Safety.

Im AMAZED! You were even allowed to bring a USB in, they made sure we were not allowed to bring anything including USB devices.
Your academy was proberly infected by a USB Autorun device.

Some things about Zenos Secuirty

• Hardware Keyloggers on the Server (Did Zenos themselves put these there?)
• XP Systems not updated, can be exploited easy and spawn remote CMD
• Insecure Network, Guest Accounts enabled on almost every network device, default router passwords not changed
• I could go on and on...

Someone in your academy must have owned the classroom server and is playing with everyone, or they've been backdoored.

OxfordMole

Rofl, yeah there was this virus on their servers when i went. I'm pretty sure zenos didn't know. It was a backdoor so anyone with a bit of knowledge could have got into their main servers and caused serious damage.

It's a bit worrying.

glovercat

hardware key loggers? they obviously put those there themselves i haven't seen any ninjas jumping around the offices unnoticed

and hard luck being chucked out for being a real technician kinda typical

BrandiniMP

well heres hoping the tech dept. do something right today.

@ WhistleBlower

I was semi-allowed my USB, i hosted a interclass gaming and chat webserver on my pc, and my tutor had no control, so we struck a deal about me locking it down in lesson times, in exchange i can use my USB aslong as she virus scans it every morning.

zomg

They've asked us to come in tomorrow as per usual but apparently we're going to be reprimanded for our actions. I personally believe we deserve an apology more-so than a reprimand, the way we were treated by the manager was ridiculous.

- The Friend

WhistleBlower

Why dont you just destroy them?

The only "network" experience you will get at Zenos is plugging an ethernet cable into a computer.

glovercat

having LAN games was a huge no no for us if our USBs where so much as smell of the sweet scent of a USB it was taken and we would be told off

The.Truth

I'm am glad that It passes your time easily but seriously who are you kidding?

Please read my post in the previous student area of the forum and bring this up with your tutors. This is a serious issue.

I'm not trying to sound like I am hating Zenos but I don't think that you understand what you've got yourself Into.

an0n

Sorry for dragging up an old thread here but I thought I may add some of my recent experience.

Within the first few weeks I noticied that two of the users home shares did not have the NTFS permissions correctly configured. This gave anybody access to read/write any files within that directory. I notified my tutor about this fact and for something that would take 5 minutes to change nothing was done for weeks. I stumbled over the fact again about 2 months later so to get his attention and make him change it I copied 32 copies of penis.jpg from Wikipedia into that home drive. Once the user noticed he notified our tutor and he finally got around to changing the permissions on that one drive.

A little while later somebody else noticed the problem with the other user and started to play with files for which she notified the tutor and he finally got around to fixing that one. (This whole process took at least 8 weeks)

I was suspended for two days a little while later for separate actions. I had gained localised admin access to all the systems, I did this as a PoC (Proof of Concept) and actually told my tutor that I was able to do it and I had done it. He even told me that I should go ahead and crack the wifi as a PoC.

I gained admin by booting a Linux distribution (now thats the point of failure, the ability to boot from CD. Thought I could aswell hijack the PXE boot process and still boot an alternative OS) and cracking the SAM hashes. (1 Tip for security, non-alphanumeric characters in your sensitive passwords..... )

The suspension itself was illegal the whole process that they completed was a breach of UK law. Under UK law a suspension is not a punishment but a tool to help complete an investigation without your intervention.

The IT staff are incompetent, I had a problem with my box not DHCPing but would work perfectly if I switched network cables around. This shows that there was either a broken cable (or in my semi-paranoid mind someone wrote a static route for me and broke it)

I was without a computer for weeks until one day their IT guy came down and took the computer away. (Wait its a networking hardware problem not a problem with my system)

Lets just say, it's still not fixed. I have a temporary fix by using a switch on the other working network port and sharing that single port between the two of us.

During my suspension meeting they where banging on about how they where going to have to spend hours re-imaging the computers in my room. Trying to make me feel sorry for them.....all they did was change the admin password on my PC and disconnect the power supply to my CD drive. (They didn't touch any of the others)

When my PC came back from IT about the networking problem he had kindly reconnected my CD drive (I do wonder what he tried when he was 'attempting' to fix it)

My tutor gives some very strange information when he is teaching, right from saying that MAC addresses are broadcasted over the internet to that computers have batteries in them (not CMOS) for giving power when the plug is removed for doing WoL (Wake on Lan) and PXE. Let me clarify, you still require a power supply to do both of them...