RE: w2k server compromised

From: Brothers, Sam (OCTO) (Sam.Brothers@dc.gov)
Date: 01/24/03

  • Next message: matthew patton: "RE: Bypass Traverse Checking?"
    From: "Brothers, Sam (OCTO)" <Sam.Brothers@dc.gov>
    To: "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com>
    Date: Fri, 24 Jan 2003 10:54:11 -0500
    
    

    My 2 cents,

    Because I am always paranoid:

    If this machine has been compromised "acting strangely", the possibility
    exists that:

    1. All of your usernames & passwords have been captured (via Lopht Crack)
    and this information is thus suspect.

    2. A rouge user has been injected.

    Perhaps, exporting the user list, checking it against a known good list of
    users, then resetting all passwords may be a better course of action here:
    ***SNIP*** "You could use ADMT v2 to migrate from the infected domain into a
    clean domain, and it does migrate passwords." ***SNIP**

    Sam

    -----Original Message-----
    From: Dan Uscatu [mailto:duscatu@lunatech.ro]
    Sent: Thursday, January 23, 2003 3:17 AM
    To: focus-ms@securityfocus.com
    Subject: w2k server compromised

    hey all

    i just found one of the w2k servers to be infected and acting very
    strangely.
    unfortunately it is a domain controller and it has all the
    users/computers lists.

    how can i export these before reinstall in order to keep the exact same
    configuration (everything except passwords of course) ?
    i suppose this could be usefull to be done on a regular basis too...

    TIA