Need tips on catching an intruder

Hello Everyone

I was wondering if I could get some tips on catching a suspected intruder. A friend of mine works at a center for the disabled and they have a small 3 WinXp and 3 Win2K computer workgroup. They are connected by a Linksys router, and connect to the internet using DSL. Currently they have a volunteer that is doing database work for them. My friend noticed that whenever he gives the volunteer the password to the router that a few days later or the following day he will come to work and the PPPOE will be turned off, but the dsl username and password info is still in the router so he knows it hasn't been reset accidentally or anything. Also one of the users was working on a pc one day and he say's the curser moved to start and shut down and he didn't do it. This is the win2k machine. The only way I know that he could do this is if he had Back Orifice or something installed on the pc. He say's he did a spybot search and destroy scan and came up with nothing. Of course I told him to change the passwords and not tell him...which he will do. But I thought maybe until then we could try and catch him in the act or whom ever it is...maybe get an ip or something. Would the router have a log of the inbound traffic or is there a program I can install on a machine to catch him…I guess like winspy but so I could get the ip and track it back to a pc.

Thanks a lot

 

Why the guy needs the password to the Router to begin with?

From reading your complains it is not clear if the guy is doing anything wrong.

Scan the system for Spyware etc., and that there is not unnecessary ports open through the Router.

Make sure that the system is clean, and tell the guy that it seems that strange thing happens after he leaves.

Change all the access passwords when he is done with his work.

 

Hey thanks cat5

No the guy doesn't seem to be doing anything "wrong." I just think if they are going to blame him they should really know it is him. If he is doing it then it seems like he is just doing it for the sport of it not to really cause any harm.

 

You could check for something like VNC (a remote-control program) running on the W2K machine. It could be loaded to run as a service at startup.

A further check would be to see if any extra 'rules' have been added to the config of the firewall. By default, the firewall is likely to block all incoming connections, unless they are in reply to a request from within the firewall. To allow remote access, an 'intruder' would need to allow himself an 'open door' at the router interface.

I hope this helps a little.