Unauthorized use of Server 2003

TheMSsForum.com: The Microsoft Software Forum

Someone has hacked into my server 2003 and changed MY password so I could not
use it. I managed to change it back to my password and hopefully block
future access from this person. Is there a "back way" into the server that I
do not know about that would let this person in. I have terminal services
and remote access. I need to block this possible entry. Anyone have this
problem?
Top

Re: Unauthorized use of Server 2003 by Roger

Roger
Sat Feb 04 08:01:49 CST 2006

There may be a back way in now, but no one could more than guess
what from a long list of possibilities.
Before the event there were no "back doors" that came with the operating
system other than what could be created through misconfiguration, poor
choice of passwords (or lack thereof), or failure to patch the operating
system and any network-active third-party software when patches are
released for known weaknesses.

"IT in Training" <IT in Training@discussions.microsoft.com> wrote in message
news:B75A627A-C3F5-45C6-800B-674A52BDCD8C@microsoft.com...
> Someone has hacked into my server 2003 and changed MY password so I could
> not
> use it. I managed to change it back to my password and hopefully block
> future access from this person. Is there a "back way" into the server
> that I
> do not know about that would let this person in. I have terminal services
> and remote access. I need to block this possible entry. Anyone have this
> problem?


Top

Re: Unauthorized use of Server 2003 by Malke

Malke
Sat Feb 04 08:38:17 CST 2006

Roger Abell [MVP] wrote:

> There may be a back way in now, but no one could more than guess
> what from a long list of possibilities.
> Before the event there were no "back doors" that came with the
> operating system other than what could be created through
> misconfiguration, poor choice of passwords (or lack thereof), or
> failure to patch the operating system and any network-active
> third-party software when patches are released for known weaknesses.
>
> "IT in Training" <IT in Training@discussions.microsoft.com> wrote in
> message news:B75A627A-C3F5-45C6-800B-674A52BDCD8C@microsoft.com...
>> Someone has hacked into my server 2003 and changed MY password so I
>> could not
>> use it. I managed to change it back to my password and hopefully
>> block
>> future access from this person. Is there a "back way" into the
>> server that I
>> do not know about that would let this person in. I have terminal
>> services
>> and remote access. I need to block this possible entry. Anyone have
>> this problem?

Mr. Abell was far too nice to mention it, but I'll be blunt - you should
flatten the server immediately and scan any workstations that were
connected to it. Don't connect the new server installation to the
Internet or the lan until 1) it is protected with a firewall,
antivirus, and good security practices (including strong passwords);
and 2) all workstations are known to be 100% virus/malware-free.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
Top

Re: Unauthorized use of Server 2003 by Roger

Roger
Sat Feb 04 10:32:36 CST 2006


"Malke" <notreally@invalid.invalid> wrote in message
news:OLGGkiZKGHA.536@TK2MSFTNGP09.phx.gbl...
> Roger Abell [MVP] wrote:
>
>> There may be a back way in now, but no one could more than guess
>> what from a long list of possibilities.
>> Before the event there were no "back doors" that came with the
>> operating system other than what could be created through
>> misconfiguration, poor choice of passwords (or lack thereof), or
>> failure to patch the operating system and any network-active
>> third-party software when patches are released for known weaknesses.
>>
>> "IT in Training" <IT in Training@discussions.microsoft.com> wrote in
>> message news:B75A627A-C3F5-45C6-800B-674A52BDCD8C@microsoft.com...
>>> Someone has hacked into my server 2003 and changed MY password so I
>>> could not
>>> use it. I managed to change it back to my password and hopefully
>>> block
>>> future access from this person. Is there a "back way" into the
>>> server that I
>>> do not know about that would let this person in. I have terminal
>>> services
>>> and remote access. I need to block this possible entry. Anyone have
>>> this problem?
>
> Mr. Abell was far too nice to mention it, but I'll be blunt - you should
> flatten the server immediately and scan any workstations that were
> connected to it. Don't connect the new server installation to the
> Internet or the lan until 1) it is protected with a firewall,
> antivirus, and good security practices (including strong passwords);
> and 2) all workstations are known to be 100% virus/malware-free.
>

Hi Malke,

I am just Roger, same as in dts . . . :-)

I thought that flattening was pretty clear from
>> There may be a back way in now, but no one could more
>> than guess what from a long list of possibilities.

But yes, you are quite right.
The system needs a format install with a W2k3 SP1 integrated CD,
or off network with W2k3 and not placed on network until SP1 has
been installed.

The poster should install the SCW and use it, right after visiting
Microsoft Update, which itself is right after W2k3/Sp1 is installed
with its enabled firewall.

Your advise to make sure all machines accessible from the violated
server need washing is right-on, as they are all now suspect to the
extent that credentials defined on or in use on the compromised
machine have assess to them (another understated implied potential
flattening, but widespread).
Note that, if the poster has the skills, it MIGHT be worth the time
to have the violated server, off-network, go through some triage,
as this MAY provide some level of assurance about the potential
cleanup needed elsewhere.

Cheers,
Roger


Top

Re: Unauthorized use of Server 2003 by Steven

Steven
Sat Feb 04 10:48:59 CST 2006

Does any unauthorized user have physical access to the server? That is the
easiest way to gain access with either keyboard loggers or using a password
reset disk. Beyond that unless you used a weak password or administrator
account have weak passwords you may have allowed a Trojan to be installed on
the computer that captured your keystrokes. You should not browse the
internet or access your email on a server. I agree with Malke and Mr. Abell
as to how to proceed from here. It would be a good learning exercise to try
and figure out what happened but ultimately you should strongly consider
pristine install but that is your call. The Anti Virus in Depth Guide that
is free from Microsoft has some good advice on how to track down what
happened and how to prevent it from happening again and the Windows 2003
Server Security Guide and the Threats and Countermeasures guide can get you
up to speed on securing your computers and are available at the second link
below. --- Steve

http://www.microsoft.com/technet/security/topics/serversecurity/avdind_0.mspx
--- Antivirus in Depth Guide
http://www.microsoft.com/technet/security/default.mspx --- TechNet
Security homepage

"IT in Training" <IT in Training@discussions.microsoft.com> wrote in message
news:B75A627A-C3F5-45C6-800B-674A52BDCD8C@microsoft.com...
> Someone has hacked into my server 2003 and changed MY password so I could
> not
> use it. I managed to change it back to my password and hopefully block
> future access from this person. Is there a "back way" into the server
> that I
> do not know about that would let this person in. I have terminal services
> and remote access. I need to block this possible entry. Anyone have this
> problem?


Top