Re: Unauthorized use of Server 2003
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Sat, 4 Feb 2006 09:32:36 -0700
"Malke" <notreally@xxxxxxxxxxxxxxx> wrote in message
news:OLGGkiZKGHA.536@xxxxxxxxxxxxxxxxxxxxxxx
Roger Abell [MVP] wrote:
There may be a back way in now, but no one could more than guess
what from a long list of possibilities.
Before the event there were no "back doors" that came with the
operating system other than what could be created through
misconfiguration, poor choice of passwords (or lack thereof), or
failure to patch the operating system and any network-active
third-party software when patches are released for known weaknesses.
"IT in Training" <IT in Training@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:B75A627A-C3F5-45C6-800B-674A52BDCD8C@xxxxxxxxxxxxxxxx
Someone has hacked into my server 2003 and changed MY password so I
could not
use it. I managed to change it back to my password and hopefully
block
future access from this person. Is there a "back way" into the
server that I
do not know about that would let this person in. I have terminal
services
and remote access. I need to block this possible entry. Anyone have
this problem?
Mr. Abell was far too nice to mention it, but I'll be blunt - you should
flatten the server immediately and scan any workstations that were
connected to it. Don't connect the new server installation to the
Internet or the lan until 1) it is protected with a firewall,
antivirus, and good security practices (including strong passwords);
and 2) all workstations are known to be 100% virus/malware-free.
Hi Malke,
I am just Roger, same as in dts . . . :-)
I thought that flattening was pretty clear from
There may be a back way in now, but no one could more
than guess what from a long list of possibilities.
But yes, you are quite right.
The system needs a format install with a W2k3 SP1 integrated CD,
or off network with W2k3 and not placed on network until SP1 has
been installed.
The poster should install the SCW and use it, right after visiting
Microsoft Update, which itself is right after W2k3/Sp1 is installed
with its enabled firewall.
Your advise to make sure all machines accessible from the violated
server need washing is right-on, as they are all now suspect to the
extent that credentials defined on or in use on the compromised
machine have assess to them (another understated implied potential
flattening, but widespread).
Note that, if the poster has the skills, it MIGHT be worth the time
to have the violated server, off-network, go through some triage,
as this MAY provide some level of assurance about the potential
cleanup needed elsewhere.
Cheers,
Roger
.
- References:
- Re: Unauthorized use of Server 2003
- From: Roger Abell [MVP]
- Re: Unauthorized use of Server 2003
- From: Malke
- Re: Unauthorized use of Server 2003
- Prev by Date: Re: Unauthorized use of Server 2003
- Next by Date: Re: security on a certain program
- Previous by thread: Re: Unauthorized use of Server 2003
- Next by thread: Re: Unauthorized use of Server 2003
- Index(es):
Relevant Pages
|
