System Admin Shuts down Servers, Deletes Core Files on the Day He Is Fired

Megalith

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
…and now he faces 10 years in prison. I never did understand why some people go to great lengths to damage their employer when there is so much risk and practically no payoff. This guy was dumb enough to leave his account history behind so everyone knew he was at fault.

Venzor was let go from his position at the company's help desk and immediately turned volatile. He left the building at 10:30AM and by 11:30, the company's email and application servers had been shut down. Because of this, all activities ground to a halt at the factory and employees had to be sent home. When the remaining IT staff tried to restart them, they discovered the core system files had been deleted and their account permissions had been demoted. Eventually the company was forced to hire a contractor to clean up all of the damage, but this resulted in weeks of backlog and lost orders.
 
bigdogchris said:
The reason he was fired is probably because he's the type of guy to remotely wipe servers if he was fired.
Click to expand...

Except if that were the case you would think they would have put some restrictions on his account....

That said, the company is the only one paying the price. That had to cost them a TON of dollars to have to shut down for the day, as well as the time in which to fix everything back up. The stupid kid got 10 years in prison, which doesn't exactly give them any of those millions of dollars in cost back.
 
Cyraxx said:
Except if that were the case you would think they would have put some restrictions on his account....

That said, the company is the only one paying the price. That had to cost them a TON of dollars to have to shut down for the day, as well as the time in which to fix everything back up. The stupid kid got 10 years in prison, which doesn't exactly give them any of those millions of dollars in cost back.
Click to expand...

in addition to 10 years he could be fined up to $250,000 as well. Not sure who this goes too.
 
Extra-Titanian said:
Maybe it's just me, but I'd atleast put some sort of timer on it. I mean, dude gets fired, everything instantly goes tits up, kinda obvious.
Click to expand...

Or set up a remote backdoor so you can do it from home at a later date.
Or do something that slowly degrades the network performance, instead of breaking something that's immediately noticeable.
 
Cyraxx said:
Except if that were the case you would think they would have put some restrictions on his account....

That said, the company is the only one paying the price. That had to cost them a TON of dollars to have to shut down for the day, as well as the time in which to fix everything back up. The stupid kid got 10 years in prison, which doesn't exactly give them any of those millions of dollars in cost back.
Click to expand...

My guess is this is just the criminal charge, and the company can still go after him for their costs. Not that they'd get much out of him.
 
sir-gold said:
Or set up a remote backdoor so you can do it from home at a later date.
Or do something that slowly degrades the network performance, instead of breaking something that's immediately noticeable.
Click to expand...
The article said he did the remote backdoor thing made it look like a printer on the network. He just apparently did it while still in the parking lot.

I do not in his position I would probably just have made things difficult for my replacement. As in any macros or shortcuts or group policy I setup would get wiped any email to or from me would get wiped and as my last step my user account would be wiped. I would probably setup a script to do it so I can just hit run.
 
Its a form of hacking by todays standards. Hacking is as bad as selling drugs in the eye of the law. Its a toss up which gets you more jail time hacking or downloading movies.
 
On all fronts...

61Ki7izfCHL.jpg
 
Last edited:
prime2515102 said:
If a help desk worker has enough access to do something like this, they had it coming.
Click to expand...

the term help desk can have very different meaning. Some places refer to all their IT as help desk. Partly because of cost. If you call somebody a system admin you pay them system admin rates. However you call them help desk and give them more responsibility than normal help desk and you can get away with offering less money.

so I wouldn't get too hung up on the job title.
 
For those hung up on the "Help Desk" issue, where I last worked as a Network/Security Admin, Everyone in IT was Help Desk. We had temps that were normally Tier 1 and those of use who where full time were Tier 2 or 3. I had an account with God privileges even though I could easily be taking a Tier 1 call if all the temps were busy.

I do agree that it was poor planning on the company's part to plan on firing an IT admin without taking precautions. And where were the DAMN BACKUPS!?
 
jpm100 said:
The penalty seems out of line unless it affected Hospitals, etc. Money, yes. Time, yes. 10 years, no.
Click to expand...

Indeed -- considering we have drunk driver that KILL people who get less time, and in some cases NO time served. Remember that "affluenza" kid, who killed 4 people, didn't get any jail time for it the first round. That's just the one example on the top of my mind there are surely countless others.
 
Funny how this story is posted on "World Backup Day". :) And, while everyone here has wanted to perform a "PC LOAD LETTER" to their employer's systems as a final bleep you and bleep off, most of us have the moral compass not to do such a career-ending move.

According to a Google search, we have a more detailed article from the Register. Why do I have a funny feeling this company had one of those mantras of "increase revenue, reduce costs", and they consider IT one of those costs that has to be minimized? Or, because the IT help desk was outsourced to another country, the admin had to not only maintain the servers, but also be the tier one helpdesk of the VIPs, and has lost a few weekends and blown plans? We can only speculate.
 
You do something like this and you pretty much will never work in the industry again.
That said, IT employees should find out they are fired, when they are unable to log onto anything at their work. Lock them out, then send them down to HR, or where ever, for their termination.
 
DTN107 said:
I'm just curious why no one locked his account. Make no exception to anyone.

Supervise them while they collect their belongings, escort them out, and lock up all their account and e-mail is usually the norm right?
Click to expand...
the account lockout depends how quick the company is to act 6 months after i left radio shack my credentials still worked... if a company is really on the ball the minute he is told another admin is locking his account. But from the sounds of it he was the lead admin. And he did it via a backdoor he had setup long before... so he had always planned on doing this...
 
Anywhere I've worked if you have any special access accounts that stuff gets locked before the term happens. This guy probably had creds to a service account that never changes their password.

A million years ago one of my buddies worked for an ISP, and he noticed the root passwords hadn't been changed in like ever. He changed them as a security measure and notified his boss. But his boss was a douche who was stealing stuff and sexually harassing his female workers, and when confronted about it threw my innocent friend under the bus. He left quietly because he hated it anyway. His dipshit manager got canned 6 months later for embezzlement + sexual harassment. No one had access to anything any more... so they re-hired him as a contractor paying 3x what his original salary was to "fix the problem". First step was to change the root passwords again.

I guess the moral of that story is, stupidity happens. And Karma is a bitch.
 
Last edited:
Extra-Titanian said:
Maybe it's just me, but I'd atleast put some sort of timer on it. I mean, dude gets fired, everything instantly goes tits up, kinda obvious.
Click to expand...

Yea really. The good news is that criminals are generally stupid. The people that are smart enough to hide their tracks well enough are generally smart enough to know it isn't worth it.

sir-gold said:
Or set up a remote backdoor so you can do it from home at a later date.
Or do something that slowly degrades the network performance, instead of breaking something that's immediately noticeable.
Click to expand...

From home no, from an open hot spot with a spoofed wireless card mac address(or better yet a cheap used machine that you trash after) when your phone is not near you so it can't ping a tower near it?

I guess if he gave away trade secrets months later or let whoever would cause the most issues know where the bodies were barred I'd understand better. Going in right away like him though is just asking for you to be the main suspect right away.
 
DTN107 said:
I'm just curious why no one locked his account. Make no exception to anyone.

Supervise them while they collect their belongings, escort them out, and lock up all their account and e-mail is usually the norm right?
Click to expand...
At our company if someone is escorted out, they are supervised. as soon as they leave their account passwords are either changed or all access is revoked. ditto for last day worked aka voluntary quit.
 
He may have created a separate account which would bypass his actual account being closed.

Either way, he shouldn't have done what he did - gives all of us in IT (no matter what degree) a bad name. I say throw the book at him, and put in him jail. I'm sure he'll be someone's friend before too long.
 
It's odd how many companies don't take precautions. I'm on my 6th sysadmin contract, and 4 of those companies had old domain admin accounts that weren't removed for months after personnel left. Some of these were very capable infosec individuals, too.

The company I work for currently is a bit more stringent. Any higher tier employees are grilled a bit before they leave, and their accounts/account history are verified in person, the day they leave.
 
Didn't read the article, but if he was laid off to be replaced by some H1B Visa holder or his position outsourced to some third world country, good for him.
 
DTN107 said:
I'm just curious why no one locked his account. Make no exception to anyone.
Click to expand...

Because:

A: They didn't know how
B: They were stupid and thought they were going to work him a full day and then send him home wiht a pink slip.
C: He had a script "Delete Everything? Y/N?" in his profile that he actively had to deny, as a poison pill.
 
My last company they'd lock your account the day you were being let go / fired. So generally you'd go to your desk and couldn't log in and you had a hunch.

Sometimes they'd do it a day too soon and it'd be super awkward for a day.
 
Lunas said:
The article said he did the remote backdoor thing made it look like a printer on the network. He just apparently did it while still in the parking lot.

I do not in his position I would probably just have made things difficult for my replacement. As in any macros or shortcuts or group policy I setup would get wiped any email to or from me would get wiped and as my last step my user account would be wiped. I would probably setup a script to do it so I can just hit run.
Click to expand...

All of that would be just as illegal, and unethical, as what this guy did, though of course much less harmful and less likely to be prosecuted. Every bit of those things belong to your employer, not you, and destroying their property, whether physical or electronic, is a crime. Your premise is essentially "I created it, so I have the right to destroy it." By that logic the guy that dry-walled your home would be justified to come in and tear out your walls if he gets fired. Sorry, but you got PAID to create/setup these things for the company and as a result everything you did for them is entirely theirs, not yours at all. If you don't like it then don't work for someone else.
 
DTN107 said:
I'm just curious why no one locked his account. Make no exception to anyone.

Supervise them while they collect their belongings, escort them out, and lock up all their account and e-mail is usually the norm right?
Click to expand...

We handle off-boarding for most of our customers on the IT side, we talk to their supervisors at the company and set up a time and date, and on that time and date we cut everything, THEN they go talk to the employee and escort them around and get their shit. Stuff like this happens all the time, but like was said, it's hard to know if people in high positions have secret seperate accounts or known other accounts that just aren't documented. Hell, I've got a few spare admin accounts floating around, at least I document mine and where they are
 
Cyraxx said:
.... Dude, do we need to remind you... the kid works a help desk position lol.

You think he's going to pay even $2.50 of that?
Click to expand...

No i don't. One thing I've learned from the past is if a court says you have to pay XX they will take all of your wages until its paid or throw you in jail for x time if you cant pay.
 
Dead Parrot said:
For those hung up on the "Help Desk" issue, where I last worked as a Network/Security Admin, Everyone in IT was Help Desk. We had temps that were normally Tier 1 and those of use who where full time were Tier 2 or 3. I had an account with God privileges even though I could easily be taking a Tier 1 call if all the temps were busy.

I do agree that it was poor planning on the company's part to plan on firing an IT admin without taking precautions. And where were the DAMN BACKUPS!?
Click to expand...

The only precaution they didn't do is an audit of all accounts on their server to see if anything was given rights that it didn't need. They had removed his account he just had a second hidden one. I was curious about the backups also. I can understand maybe losing an email server due to not backing that up if you are willing to lose that, however the application server that ran everything should have been backed up, I also don't understand how you damage a server so badly that it can't use used and has to be physically replaced.

Burticus said:
Anywhere I've worked if you have any special access accounts that stuff gets locked before the term happens. This guy probably had creds to a service account that never changes their password.

A million years ago one of my buddies worked for an ISP, and he noticed the root passwords hadn't been changed in like ever. He changed them as a security measure and notified his boss. But his boss was a douche who was stealing stuff and sexually harassing his female workers, and when confronted about it threw my innocent friend under the bus. He left quietly because he hated it anyway. His dipshit manager got canned 6 months later for embezzlement + sexual harassment. No one had access to anything any more... so they re-hired him as a contractor paying 3x what his original salary was to "fix the problem". First step was to change the root passwords again.

I guess the moral of that story is, stupidity happens. And Karma is a bitch.
Click to expand...

If you had read the article that is exactly what he did. They make it very clear that he created an account and hid it as an account for a network printer. However said network printer account had full admin rights.

Makaveli@BETA said:
if you didn't RTFA why post this nonsense?
Click to expand...

In his defense, most here haven't read the article and are posting nonsense. So he is just trying to fit in.
 
jpm100 said:
The penalty seems out of line unless it affected Hospitals, etc. Money, yes. Time, yes. 10 years, no.
Click to expand...
He was sentenced to 10 years, that doesn't mean he will serve 10 years.

If you ever wonder when watching cop shows how the guy they are pulling up has ten assault charges, armed robbery, grand theft auto, etc on their records and yet somehow they are not in jail, is because we release people on parole far in advance of their convicted sentences.

Jails are just too full to keep even 1% of the population behind bars, and these days there are a lot more than 1% of people that are harmful to the 99% of us.
 
Ducman69 said:
He was sentenced to 10 years, that doesn't mean he will serve 10 years.

If you ever wonder when watching cop shows how the guy they are pulling up has ten assault charges, armed robbery, grand theft auto, etc on their records and yet somehow they are not in jail, is because we release people on parole far in advance of their convicted sentences.

Jails are just too full to keep even 1% of the population behind bars, and these days there are a lot more than 1% of people that are harmful to the 99% of us.
Click to expand...
That's all a state by state thing. For example, in Virginia, they have truth in sentencing laws, where you HAVE to serve 85% of your sentence, the end. So in that state he would get 8.5 years minimum, no matter what. In other, he could be walking in 2 years, it all depends.
 
sir-gold said:
Or set up a remote backdoor so you can do it from home at a later date.
Or do something that slowly degrades the network performance, instead of breaking something that's immediately noticeable.
Click to expand...

The problem I see in this, is that the people that are resourceful enough to plan this kind of stuff out ahead of time are usually resourceful enough on a daily basis to keep a job.
 
tetris42 said:
That's all a state by state thing. For example, in Virginia, they have truth in sentencing laws, where you HAVE to serve 85% of your sentence, the end. So in that state he would get 8.5 years minimum, no matter what. In other, he could be walking in 2 years, it all depends.
Click to expand...
Probably was directly in response to the nonsensical short period of time criminals were actually serving a while back in that state.

From the 90s in Virginia:
Former Attorney General William Barr reported in a major publication entitled "Combatting Violent Crime: 24 Recommendations to Strengthen Criminal Justice" that murderers spent only five and a half years, rapists three years, and robbers two and a quarter years in prison
Click to expand...
The prison sentence was really just for the benefit of the public who would hear of a murder, be happy the guy got 50 year sentence, but then not realize that, on average, 5.5 years later he was out on the streets again like nothing ever happened, while his victim is still in the ground.
 
You must log in or register to reply here.
Back
Top