Re: Have I been hacked Windows Server 2003?

From: Miha Pihler (
Date: 09/12/04

Date: Sun, 12 Sep 2004 11:45:38 +0200


I can't tell you how these files got on your system. Could e.g. one of the
students install a keyloger on one of your system where you logon with
administrator password? If you somehow restrict installation of keyloger
software, this will not also prevent use of hardware keylogers (attached
between the keyboard and computer).

What I know is that VNC only encrypts password, but everything else between
your VNC client and VNC controlled server is sent in clear text unless you
use it over VPN.

>From VNC website

Is VNC secure?
The only really secure computer is one without a network. VNC requires a
password when a viewer tries to connect to a server. This password is
encrypted to deter snooping, but the following graphical data, the VNC
protocol, is not. In many ways, VNC is more secure than remote login
programs such as telnet where the password is and the following data are
sent in the clear as ascii characters. Many people find it perfectly
acceptable to use VNC like this behind a corporate firewall, across a VPN,
or between computers within the home. However, if the computer or network is
connected to the internet, we strongly advise the use of additional
security. See how to make VNC secure using SSH. You might want to know how
to use VNC with a firewall.

E.g. Terminal Service connection uses 128 bit encryption all the time not
just to send username and password from client to the server.

9 characters long password is not necessary secure. Windows 2000 or newer
supports password up to 128 characters. Unless you changed this in registry
your passwords are still stored as LM Hash. Recently I did an audit of
passwords for a client. We took 450 password hashes (LM Hashes) and less
then 6 hours later we had 400 passwords.
Use pass phrase longer then 14 characters (passwords longer then 14
characters are automatically stored as NTLM Hash). You could e.g. use pass
phrase "Only now I really use a secure password!" You could even do it like
this "0nly now 1 rea11y use a s3cur3 p@55w0rd!" This password is 40
characters long and I don't think it is hard to remember...

You could do some additional tests of your passwords. Download a tool from
the internet called pwdump2 (You can find it with Google). Dump your
password hashes and find administrator password. Then visit this site and paste your current
hash in the box on this site. Click submit Hash and wait for a moment and
see if your password was secure. (Change your password after you run this
How to prevent Windows from storing a LAN manager hash of your password in
Active Directory and local SAM databases;en-us;299656&Product=winsvr2003

Account Passwords and Policies


"Dominic Maricic" <> wrote in message
> I am running Windows 2k3 will all the updates. I ran a program today
> to find out why I was missing so much space on my hd and found that
> inside c:\system
> are two folders: Yu-Gi-Oh.TELESYNC.Line.Dubbed.German.SVCD-CiNTAX and
> Wie.ein.einziger.Tag.SCREENER.MD.German.VCD-ARMAGEDDON. Inside both of
> these folders are rar files making up both of these cds. The problem
> is I didnt put these there!! I have never seen them before.
> One folder is dated 9/4/2004 the other is dated 9/5/2004 (I didnt work
> either day,weekend!), neither folder is shared, nor is anything above
> it. Security shows administrators (only me), creator owner and system
> have access.
> I am running ISA Server pretty strictly as well as Norton Corporate
> 9.0 (just updated yesterday from 8.0).
> I know that this folder is used as a system restore and I have seen a
> few articles stating that this folder might be used as a network
> recycle bin (is this possible)?
> The only thing I can think of is that I am running VNC and Citrix and
> maybe one of them has a security flaw? I believe both are the most
> recent version. My administrator password is not guessable as it is 9
> numbers and letters mixed.
> Anyone have any Ideas? This is a school network with 5 servers, all
> running windows 2003. There are over 120 workstations that both
> teachers and students use. I can't think of any way to try and track
> how those files got there.