RE: w2k server compromised

From: James D. Stallard (james@leafgrove.com)
Date: 01/23/03

  • Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #121"
    From: james@leafgrove.com (James D. Stallard)
    To: "'Dan Uscatu'" <duscatu@lunatech.ro>, <focus-ms@securityfocus.com>
    Date: Thu, 23 Jan 2003 22:07:41 -0000
    
    

    Dan

    Regardless of the security implications and reasons of having an
    apparently compromised DC you can use the following procedure to get you
    AD databases copied:

    Build new W2k server box
    Harden new server
    Use DCPROMO to make it a DC in the current domain/forest
    Await replication to complete, check by directing AD Users and computers
    at the new server.
    Check your login scripts and policies have also come across by looking
    in SYSVOL
    DCPROMO old server to remove DC functionality
    Power off old server
    Remove entries in sites and services relating to the the old server if
    still there
    Remove old server computer account
    Rebuild old server
    Harden old server
    DCPROMO old server to make it a DC in the current domain/forest
    Await replication to complete, check by directing AD Users and computers
    at the old server.
    Check your login scripts and policies have also come across by looking
    in SYSVOL
    DCPROMO new server to remove DC functionality
    Power off new server
    Remove entries in sites and services relating to the the new server if
    still there
    Remove new server computer account
    Done

    Good luck and don't forget to check the rest of your LAN for pesky
    malware
    Of course if the compromise is AD aware you may not be able to get rid
    it this way, but that is pretty unlikely. Anyone else comment??

    Cheers

    JamesD

    -----Original Message-----
    From: Dan Uscatu [mailto:duscatu@lunatech.ro]
    Sent: 23 January 2003 08:17
    To: focus-ms@securityfocus.com
    Subject: w2k server compromised

    hey all

    i just found one of the w2k servers to be infected and acting very
    strangely. unfortunately it is a domain controller and it has all the
    users/computers lists.

    how can i export these before reinstall in order to keep the exact same
    configuration (everything except passwords of course) ? i suppose this
    could be usefull to be done on a regular basis too...

    TIA



    Relevant Pages

    • Re: [Full-disclosure] one of my servers has been compromized
      ... What you described is a userland rootkit detector. ... server everytime you suspect you MAY have been compromised. ... since the bot was so easy to find in the first place ... The exploit or compromise running on this system is likely ...
      (Full-Disclosure)
    • Re: SSH as root
      ... Subject: SSH as root ... but it doesn't require having a key on the server that could be ... If they compromise a server, and the passphrase, etc. is there, they only ... private key to anyone. ...
      (SSH)
    • Re: [Full-disclosure] one of my servers has been compromized
      ... Now the problem for me is to track down the security hole. ... The exploit or compromise running on this system is likely ... The bot files can usually be found by running these one line ... when resolving server names to IP Addresses ...
      (Full-Disclosure)
    • Re: Ten least secure programs
      ... djbdns) or no history of anything major or that would compromise the ... remote exploits, though these are all multi-user systems that I speak of, ... Server administration, security, programming, consulting. ... marketshare. ...
      (Security-Basics)
    • Re: User access & security
      ... rootkit of some sort and totally compromise the system. ... you want your users to be able to do (permissions permissions ... server - must be OK!" ...
      (comp.os.linux.security)