RE: w2k server compromised

From: Laura A. Robinson (larobins@bellatlantic.net)
Date: 01/24/03

  • Next message: Laura A. Robinson: "RE: Bypass Traverse Checking?"
    From: "Laura A. Robinson" <larobins@bellatlantic.net>
    To: "'Dan Uscatu'" <duscatu@lunatech.ro>, <focus-ms@securityfocus.com>
    Date: Fri, 24 Jan 2003 02:59:16 -0500
    
    

    LDIFDE or CSVDE, although they just do text dumps of the configuration and
    accounts and won't maintain SIDs. You could use ADMT v2 to migrate from the
    infected domain into a clean domain, and it does migrate passwords.

    Laura

    > -----Original Message-----
    > From: Dan Uscatu [mailto:duscatu@lunatech.ro]
    > Sent: Thursday, January 23, 2003 3:17 AM
    > To: focus-ms@securityfocus.com
    > Subject: w2k server compromised
    >
    >
    > hey all
    >
    > i just found one of the w2k servers to be infected and acting
    > very strangely. unfortunately it is a domain controller and
    > it has all the users/computers lists.
    >
    > how can i export these before reinstall in order to keep the
    > exact same configuration (everything except passwords of
    > course) ? i suppose this could be usefull to be done on a
    > regular basis too...
    >
    > TIA
    >
    >