Re: Server has been hacked, need to delete hidden user account

If I open "C:\Documents and Settings\superwayne$" and look at the owner of
the files it is "Administrator". Does this mean that the "hacker" has used
my administrator account? Is it smart to disable this account and make a
new administrator account (example called "Admin" with a new password)? Is
it ok to delete (from Command / cmd.exe) the folder "C:\Documents and
Settings\superwayne$" with all content?




"S. Pidgorny <MVP>" <slavickp@xxxxxxxxx> wrote in message
news:OhH9jMrnHHA.1220@xxxxxxxxxxxxxxxxxxxxxxx
Maybe there is no user and Superwayne just used Documents and Settings
folder to create a share. Look at the owner of the files to see who has
created those - you'll get idea what accounts were compromised.

At this stage you can start monitoring Superwayne's activity and perhaps
even catch the guy (or gal) - useful experience but not very rewarding in
most cases. Another alternative is cleaning out your system - most likely
it is infected with a trojan as well.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Øyvind Isaksen" <hojoi@xxxxxxxxx> wrote in message
news:%23fYzBFrnHHA.4516@xxxxxxxxxxxxxxxxxxxxxxx
I need urgent help! My windows 2003 server has been hacked. When I was
defragmentating my disks some files could not be defragmentated. I
discovered that the reason is because these files is created on a
userprofile called "superwayne$" at this location C:\Documents and
Settings\superwayne$. If I open this address in Explorer, I see folders
like "desktop", "Favorites", "Local Settings", "superwaynes$'s Documents"
and so on. There is alot of hacked software, movies and other stuff in
these folders.
If I open Active Directory Users and Computers, the user "superwaynes$"
is not there. In Server Management/Users I cant find this either. It
seems like the user "superwaynes$" has been created outside my domain or
something. How can I find and delete this user profile (not only the
files in C:\Documents and Settings\superwayne$)? How could this happen,
what can I do prevent this in future? My server has only licensed
software (no hacks), only I got access to it?





.

Relevant Pages

  • Re: Your super-smarts much needed!
    ... > owner set up different accounts, including an Administrator account. ... > must log in as Administrator with a password in order to install the program. ... a legitimate license (which would have included the OS installation CD), ...
    (microsoft.public.win2000.general)
  • Re: Why are there 2 Administrator accounts on the Welcome page?
    ... That's why I was kind of startled when I saw "Owner" after I ran Alien Respawn. ... you can only access/see the built-in Administrator account in Safe Mode. ... MS-MVP Windows - Shell/User ...
    (microsoft.public.windowsxp.general)
  • Re: User Account
    ... unless you have renamed the Administrator account to "Owner" you ... outlined in the previous post is that Windows will not let you rename the ... "Owner" folder in Windows Explorer while you're logged in as that user. ... >> careful editing the registry. ...
    (microsoft.public.windowsxp.setup_deployment)
  • Re: IE6 (SP2) refuses connections while downloading
    ... You will have to Logon the the Default Administrator account to delete those ... folders for Owner. ... Those folders won't delete. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Administrator
    ... The default password for XP Home's Administrator account is a blank password. ... XP Pro will propmt during setup for a password, ... you'll have to contact the previous owner. ... MS-MVP Windows XP/ Windows Smart Display ...
    (microsoft.public.windowsxp.security_admin)