Re: Windows 2003 hacked?
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 04/19/05
- Next message: Dan Maharry: "Need help with TSL \ Certstore problem"
- Previous message: Steven L Umbach: "Re: Many events in Security log"
- In reply to: Jon: "Windows 2003 hacked?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 19 Apr 2005 02:57:19 -0500
A hacker or attacker can do just about anything if they get enough access. I
would be sure to change the passwords of all the administrators on the
computer. However from what you have described, it sounds as if the computer
has been severely compromised, probably has a backdoor and is monitoring
keystrokes. Your best option would be to do a clean install to a freshly
formatted system partition and not placing the computer on the internet
until it is protected by a firewall and then making sure you install all the
critical security updates. Be sure to use complex passwords for
administrator accounts and physically secure the computer to some degree.
Also enable auditing of logon events and account management. Then run the
Microsoft Baseline Security Analyzer on it and refer to the link below at
Technet for security best practices.
It may be interesting to do a malware scan on it and use tools such as
TCPView, Process Explorer, and Autoruns from SysInternals to see if there is
anything strange going on that may help you learn what happened or is
happening but I still strongly urge you do a reinstall. Windows 2003 has a
lot of auditing enabled by default. You might try looking in the security
log for account management events that may help pinpoint when the event
occurred. The command [net user usr_vagatass] might also show you when that
account was created. --- Steve
http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA
http://www.microsoft.com/technet/security/prodtech/windowsserver2003.mspx
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG/SGCH00.mspx
"Jon" <Jon@discussions.microsoft.com> wrote in message
news:E47D703A-3FB6-44AA-9A03-3C2E4D89CCA9@microsoft.com...
>I have a server named 'vaga888'. When I go into Computer Management and
>look
> at the user accounts, there's no internet guest account named
> 'iusr_vaga888'.
> Instead, there's an account named 'iusr_vagatass' that's a member of the
> Administrator group.
>
> I'm not aware of how this internet guest account could have been created.
> Is there a known way to hack into a server that would involve creating a
> new
> guest account as I've described?
>
> thx, jon
- Next message: Dan Maharry: "Need help with TSL \ Certstore problem"
- Previous message: Steven L Umbach: "Re: Many events in Security log"
- In reply to: Jon: "Windows 2003 hacked?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
