Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

URGENT! Need advice to stop hackers

Status
Not open for further replies.
aldi

aldi

IS-IT--Management
May 10, 2002
421
CA
A few days ago I posted about a problem with the administrator password. I couldn't logon from anywhere on the network. Now I realized that the administrator's password had been changed. I changed the administrator password and created a new account for admin purposes. When I changed the admin password the dc was only locked then i got access to it and be able to change the password.

This morning i was checking the TS connections a notice one connection using the administrator account. I'm the only one using the admin account, therefore i new it was something odd, then i remoted control the connection and found out that this connection (administrator) was running AMS (Advance Mass Sender), also notice that it was forwarding a lot of emails.

I logged off the intruder, but a few minutes later it was connected again. Then I changed the administrators's local account password on the TS, whic is the only one left to change, then I ckicked him/her/it off and haven't see it connected again for the last 20 minutes.

When this administrator account was connected to TS, there was no connection for it on the RRAS. How were they connected then to my TS which is running on another box.

On my router I have only the needed ports open, I'm running ISA with a multi-homed system.

BTW....I'm running SBS2003 (1 DC, multi-home) The TS is a windows 2000 server.

How can i make sure that this people does connect again...
as i mentioned i changed the administrator password and created a new account to logon for admin purpose.

Please help as soon as posible!!!
 
Sort by date Sort by votes
Sounds like they exploited something....have you ensured your system is fully patched?

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.
 
Upvote 0 Downvote
thank you lander!

Yes both systems are fully patched the TS is running SP4 and has the latest patches. The DC still without any SP but it is fully patched....I mean security patches.

 
Upvote 0 Downvote
Reboot the server, check the Run and Run Once registry keys, check msconfig and check the services to see if any unusual programs are running.
 
Upvote 0 Downvote
thank you wong!

Do want me to reboot the TS server or the DC or both?

please let me know.
 
Upvote 0 Downvote
I'd do both. Your TS server probably doesn't have AD so rebooting the DC might also show something fishy going on. Try to drill down into every OU on your DC... There might be a second admin account that you don't know of. There are some tools (like MBSA - Microsoft Baseline Security Analyzer) that you can run to see if you have more than I admin account active. It will also check if you are missing some patches. Check your event viewer logs. Do you have a webserver/ftp server also running ?
 
Upvote 0 Downvote
I would reboot both. You can also change the listening port on the TS as well. This can get you away from issues with people connecting to the TS through RDC and getting into your TS (you'll also need to change the port in the firewall).


has a good breakdown of what's needed. When connecting, you'll need to add the port, such as 192.168.10.1:3390. I wouldn't necessarily use that port, as it is quite well known "alternative". Depending on your firewall, you may also be able to block this individuals IP.
 
Upvote 0 Downvote
Yes, i have a webserver/ftp server running on the same TS server.

The run key had an entry "Optional Components" which has another three folders "IMAIL, MAPI and MSFS" are you familiar with them? I only now about MAPI
BTW...MS office is installed on the TS.
 
Upvote 0 Downvote
thank you tfg13,

I have a question before rebooting the DC.

Am i going to have problems if i reboot, because i changed the administrator password from the Active Directory Users and Computers?

Do I have the change the password anywhere else?

thanks in advance,
 
Upvote 0 Downvote
Found this on IMAIL:


Sounds like a legit program.....

Found this on MSFS:

MSFS Message-Passing Stochastic False Sharing
MSFS Microsoft Flight Simulator

From
Any reason why Microsoft's Flight Simulator is loaded? If not, I would say it's Message-Passing Stochastic False Sharing. Haven't had time to research it yet....
 
Upvote 0 Downvote
You should not have any issues. The password should be the "new" password.
 
Upvote 0 Downvote
What about services and tasks that use the administrator's password?
 
Upvote 0 Downvote
If you have not already changed those, you will need to change those manually to the new password. I wouldn't worry about the tasks (unless you have tasks running at startup) until after the reboot.
 
Upvote 0 Downvote
thank again!

Yes, tasks I'm not really worry, but what about services?
is the password automatically changed?
Does the administrator's account has nothing to do with the machine account?
when is it needed to change the machine account's password?
do i need to change that password too?

please let me know,

 
Upvote 0 Downvote
If the services have the admin account you are worried about in the "log on as" column, you need to manually change those passwords (properties of the service, log on tab). The password is not automatically changed. Since you have the webserver/FTP on this machine, also check in the Internet Services Manager for any "pages"/properties that are also using that administrator account.

The administrator account does not have anything to do with the machine account. The machine account is managed by the operating system. If you feel safer changing the password, check out this site:


Keep this in mind:
 
Upvote 0 Downvote
Thank you very much....all of you were great help!

I did as much as advised and haven't seen signs of intrusion any more.

 
Upvote 0 Downvote
Might also ask your users to change their passwords too. Maybe the intruder manage to get their pw also.
 
Upvote 0 Downvote
Yes, Wong. I'll be enforcing complex password through gpo.

I have a question about policies:

When I installed SBS 2003 DC, seven policies where automatically created at the domain level. from those seven policies, none of them is enforced, and two of them ("Default Domain Policy" and "Small Business Server Domain Password Policy") have password policy settings. Small Business Domain Password Policy has a higher priority over the Default Domain Policy.

The question is: Should I use any of these policies for password policy enforcement or should i copy one of them, make the necessary changes and enforce it, at the same domain level?

What's the best practice, when using GPOs?

Thank in advance!!!
 
Upvote 0 Downvote
I only have 2 SBS networks running and have a dozen full version of Windows running at my clients. If I remember correctly SBS has a wizard that allows you to force password complexity settings...
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
592
DTGMI
DTGMI
microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
700
microsGuy16
microsGuy16
tscstl
  • Locked
  • Question
access to local folder
Replies
1
Views
370
hairlessupportmonkey
hairlessupportmonkey
James281
  • Locked
  • Question
Enrolment agent (enrol on behalf of) stopped working
Replies
1
Views
327
mikehook
mikehook
DrB0b
  • Locked
  • Question
HyperV trying to do extended replica to external HDD
Replies
0
Views
242
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top