Urgent help: Possible security breach

Giganews Newsgroups
Subject: Urgent help: Possible security breach
Posted by:  Gaspar (gasp…@no-reply.com)
Date: Fri, 13 Apr 2007

When I arrived this morning to my office I noticed that the intranet's
home page was modified: Some images where erased, others changed, etc.
The strange thing is that the modification time is 20:15 and no IT users
work at this hours (work time is 9:00 to 17:00).

I'm now thinking of some security breach. I need you to help me find
which user modified the file, from which host or IP, and -of course- if
my servers have some backdoors opened.

This is my platform:
- 2 Windows 2003 domain controllers, and 3 secondary windows 2003 servers.
- All service packs and security updates applied.
- IIS 6 has Frontpage extensions
- All servers have Symantec Corporate Antivirus (virus definitions updated).
- Internet access is controller with ISA Server 2004
- Access to servers is physically restricted to only 2 persons, so
there's no way for someone to login locally.
- Most servers operations are done via Remote Desktop.

I already checked:
- Shares: there are no shares in the INETPUB directory, and all other
shares are only restricted to administrators.
- Event Viewer: I couldn't find any entry related to the default.htm
file (home page)

Thanks in advanced for you help and suggestions!