RE: w2k server compromised

From: Brothers, Sam (OCTO) (Sam.Brothers@dc.gov)
Date: 01/24/03

  • Next message: matthew patton: "RE: Bypass Traverse Checking?"
    From: "Brothers, Sam (OCTO)" <Sam.Brothers@dc.gov>
    To: "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com>
    Date: Fri, 24 Jan 2003 10:54:11 -0500
    
    

    My 2 cents,

    Because I am always paranoid:

    If this machine has been compromised "acting strangely", the possibility
    exists that:

    1. All of your usernames & passwords have been captured (via Lopht Crack)
    and this information is thus suspect.

    2. A rouge user has been injected.

    Perhaps, exporting the user list, checking it against a known good list of
    users, then resetting all passwords may be a better course of action here:
    ***SNIP*** "You could use ADMT v2 to migrate from the infected domain into a
    clean domain, and it does migrate passwords." ***SNIP**

    Sam

    -----Original Message-----
    From: Dan Uscatu [mailto:duscatu@lunatech.ro]
    Sent: Thursday, January 23, 2003 3:17 AM
    To: focus-ms@securityfocus.com
    Subject: w2k server compromised

    hey all

    i just found one of the w2k servers to be infected and acting very
    strangely.
    unfortunately it is a domain controller and it has all the
    users/computers lists.

    how can i export these before reinstall in order to keep the exact same
    configuration (everything except passwords of course) ?
    i suppose this could be usefull to be done on a regular basis too...

    TIA



    Relevant Pages

    • RE: passw0rd trial limit
      ... There are many "Default Password Lists" on the internet that are fairly ... compiled a personal list of passwords that I've run across. ... managed service can help you: http://www.cenzic.com/news_events/wpappsec.php ... Download FREE whitepaper on how a managed service can ...
      (Pen-Test)
    • Re: ssd attacks; worm? and precautionary steps
      ... >or list of usernames and passwords. ... And if no one knows about the script, ... As far as lists go, a modern unix box is likely to have several ...
      (comp.os.linux.security)
    • Re: Rainbow Tables
      ... That was the first thing I tried, placed the cracked passwords into a file and added it to the password list in LC5, removed the other lists just to make sure it was working but it didn't make any difference, it was like the dictionary attack didn't see the numbers or characters. ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
      (Pen-Test)
    • Anatomy of a hack: How crackers ransack passwords like `qeadzcwrsfxv1331
      ... How crackers ransack passwords like ... The list contained 16,449 passwords converted into hashes using ... As big as the word lists that all three crackers in this article ...
      (soc.retirement)