Re: w2k server compromised

From: Kurt Seifried (bt@seifried.org)
Date: 01/23/03

  • Next message: James D. Stallard: "RE: w2k server compromised"
    From: "Kurt Seifried" <bt@seifried.org>
    To: "Dan Uscatu" <duscatu@lunatech.ro>, <focus-ms@securityfocus.com>
    Date: Thu, 23 Jan 2003 14:14:48 -0800
    
    

    > hey all
    >
    > i just found one of the w2k servers to be infected and acting very
    > strangely.
    > unfortunately it is a domain controller and it has all the
    > users/computers lists.
    >
    > how can i export these before reinstall in order to keep the exact same
    > configuration (everything except passwords of course) ?
    > i suppose this could be usefull to be done on a regular basis too...
    >
    > TIA

    Create a BDC (backup domain controller), any old system will do from the
    sounds of it (if you onyl have one PDC and no BDC's then your network
    probably isn't to large), attach it to the network, it will sync with the
    PDC, you now have a copy of all accounts/passwords, you may need to manually
    copy profiles/etc/etc, do so. Then unplug the PDC, and promote the BDC to a
    PDC. Voila. A new clean PDC. Repeat as needed if you want to swap the old
    PDC back in, but this may be a good excuse to get a new server for the PDC.
    Plus this leaves the old PDC for forensics examination.

    You may also want to enable a lot more logging in future and have windows
    auto-update installed, as well as an anti-virus package etc, etc.

    Kurt Seifried, kurt@seifried.org
    A15B BEE5 B391 B9AD B0EF
    AEB0 AD63 0B4E AD56 E574
    http://seifried.org/security/



    Relevant Pages

    • Re: Time synchronization/Kerberos problem
      ... > Hello Jorge de Almeida pinto: ... > That is a good idea not to change anything other than the PDC FSMO. ... the other Domain controller and I suspect a few servers ... >>> FSMOS to my other domain controller and resetting the original domain ...
      (microsoft.public.windows.server.active_directory)
    • Re: NT PDC can no longer administer users it its own domain but can in others.
      ... >> shares etc from the fubar PDC to the new BDC then go from there. ... > Seriously, pull the network cable, reboot and see if it'll let you modify ... They were the addresses of two WINS servers at other locations. ...
      (microsoft.public.windows.server.general)
    • Re: Time synchronization/Kerberos problem
      ... That is a good idea not to change anything other than the PDC FSMO. ... the other Domain controller and I suspect a few servers have ...
      (microsoft.public.windows.server.active_directory)
    • NT domain and 2000 domain - strange problem.
      ... the Domain B. One of the servers in Domain ... PDC of domain B is rebooted, the entire Domain B cannot access the ... access a network shared folder. ... Domain B PDC the network shares are accessible again. ...
      (microsoft.public.win2000.active_directory)
    • Re: Active Directory
      ... I think they used to be called PDC and BDC in NT4. ... The backup units could be at seperate locations, ... Search for Network or click on ... The domain controller is located @ corporate office. ...
      (microsoft.public.vb.general.discussion)