Re: Win2k Suddenly Has Admin Password reset to blank

From: Steven L Umbach (n9rou_at_comcast.net)
Date: 08/28/03 

Date: Thu, 28 Aug 2003 06:03:52 GMT

     I would say you have been hacked - somehow. Possibly a trojan, which can get by
a firewall [emails, laptops, vpns, etc]. I know certain trojans will run dictionary
attacks against an administrator account and can successful if it is weak, but reset
to blank? Usually they want to be discrete. Possibly someone on your network captured
[keyboard logger] or obtained an administrator password and reset them to blank for
some reason. The fact that they were set to blank tells me you may not have very
strict password policy and have easy to guess passwords somewhere. I would scan your
computers for trojans and malware such as keyboard loggers [trojans can install those
also]. Review your password/account policies and be careful where you logon with
domain administrator account. I would also enable auditing of account logon events
success and failures on domain controllers and at least account logon and logon
events for failures on domain members. Net user username will tell you the exact time
of last password change. --- Steve

"SM Casey" <smcasey@flash.net> wrote in message
news:0f0301c36cb3$1697f8b0$a401280a@phx.gbl...
> We have HW & SW Firewalls, latest Win2k & McAfee patches &
> Virus DBs running. Local WS noticed that server
> directories suddenly were not accessible to remote Admin
> user. Reboot server and found all admin domain passwords
> were somehow reset to blank. Have we been hacked? The
> TCP HW & SW firewall logs do not show any unusual
> activity. Virus scans do not reveal any unusual activity.
>
> Physical premises security limits physical access to WS's
> so there is no possibility of surreptitious use of any WS.
>
> Seems that Win2k at some point in the last 4 hours just
> reset the primary server/domain admin PW to blank. Has
> anyone seen this before?
>
> SMC

Relevant Pages

  • Re: Password
    ... original XP disk, does she have any other way of getting to reset her password. ... Administrator account depends on what version of XP she has installed on the ... To start in Safe Mode, reboot your computer and start tapping the F8 key as soon ...
    (microsoft.public.windowsxp.general)
  • Re: Forgot Logon ID at startup of XP......
    ... If it's XP Pro, you can try the same thing, but the Administrator account is ... You can also find password reset CDs that will just clear the passwords. ... Doing so, in most cases, renders the encrypted data ... Since these are emails, you can copy the files to your local drive and open ...
    (microsoft.public.windowsxp.general)
  • Cant login
    ... Stupidly and not really paying attention to what I was ... DOMAIN (aka how you change a name on a W2K workstation). ... ADMINISTRATOR account on the workstation does not have ... Is there a way to reset that password or something that ...
    (microsoft.public.win2000.security)
  • Re: Locked myself out
    ... If you have set a password on the Administrator account and have also forgotten that one then use a password reset utility on the administrator account, search the internet for "nordahl Offline NT Password & Registry Editor". ... Be warned that if you use third party password reset utilities, and if the account that you reset has encripted files, you will lose access to those files! ...
    (microsoft.public.windowsxp.general)
  • Re: A good firewall working fine in default?
    ... I dealt with one system that just upgraded to XP and the firewall had not been activated. ... When I tried to reset them correctly the first time, it didn't work because the trojans still had control. ... After I got rid of the trojans with NOD32 and Trojanhunter I could reset the registry settings and they didn't change. ...
    (comp.security.firewalls)