RE: w2k server compromised
From: Brothers, Sam (OCTO) (Sam.Brothers@dc.gov)
Date: 01/24/03
- Previous message: Thomas Cameron: "RE: w2k server compromised"
- Maybe in reply to: Dan Uscatu: "w2k server compromised"
- Next in thread: James D. Stallard: "RE: w2k server compromised"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Brothers, Sam (OCTO)" <Sam.Brothers@dc.gov> To: "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com> Date: Fri, 24 Jan 2003 10:54:11 -0500
My 2 cents,
Because I am always paranoid:
If this machine has been compromised "acting strangely", the possibility
exists that:
1. All of your usernames & passwords have been captured (via Lopht Crack)
and this information is thus suspect.
2. A rouge user has been injected.
Perhaps, exporting the user list, checking it against a known good list of
users, then resetting all passwords may be a better course of action here:
***SNIP*** "You could use ADMT v2 to migrate from the infected domain into a
clean domain, and it does migrate passwords." ***SNIP**
Sam
-----Original Message-----
From: Dan Uscatu [mailto:duscatu@lunatech.ro]
Sent: Thursday, January 23, 2003 3:17 AM
To: focus-ms@securityfocus.com
Subject: w2k server compromised
hey all
i just found one of the w2k servers to be infected and acting very
strangely.
unfortunately it is a domain controller and it has all the
users/computers lists.
how can i export these before reinstall in order to keep the exact same
configuration (everything except passwords of course) ?
i suppose this could be usefull to be done on a regular basis too...
TIA
- Next message: matthew patton: "RE: Bypass Traverse Checking?"
- Previous message: Thomas Cameron: "RE: w2k server compromised"
- Maybe in reply to: Dan Uscatu: "w2k server compromised"
- Next in thread: James D. Stallard: "RE: w2k server compromised"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
