Solved

Server Crash / Windows NT 4.0

Posted on 2004-04-19
7
349 Views
Last Modified: 2010-04-11
Hello everyone,

Last week we had a servercrash for the 4th time within 6 months. All four times were exactly the same causes (as for as we think). These are the symptoms:

-      the desktop is completely empty and has a gray color.
-      The programfolderlist in the startmenu Is totally empty.
-      If we open the windows explorer we get a error “acces denied”. This is because all useraccount are deleted.
-      If we approach the server from another pc, we see that the system32 folder is completely empty. Round about 75 % off all files are gone.

Things that are still operational (as long as we don’t reboot the server) are things like  shares, printers, useraccounts, etc.
People who are working on the server are not awear on whats going one, the can still work.

The configuration on the server is as following:

-      Windows NT 4.0 server with servicepack 6a wich acts like a PDC
-      Backup Exec 9.1
-      Mcafee E-policy Orchestrator

Between the first en the second crash we have changed from servername and IP adres. We also changed the entire server (hardware).
If we scan the harddisk for viruses the scanner doesn’t find anything suspicious. The scanner scans every night.
After the second crash we installed windows nt 4.0 server next to the winnt directoy wich crashed. So we created a winnt2 directory next to the other. At this way we where able to install a un-delete tool wich could tell us at what time al the files were deleted. For example at 12.00 PM exactly.

Lucky for us that this is no critical server. We have al important data and apps stored on the BDC. So everyone can stille continue working. We just really wanna know what the cause of this all is.

I thank you in advance,

BR

A systemadministrator
0
Comment
Question by:FeikeOnline
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 7

Assisted Solution

by:shahrial
shahrial earned 300 total points
ID: 10859280
Based on your explanation, I think your server had been compromised.

What I suggest is that you reformat this server...As for the admin password, i recommend changing it to a stronger password, at least 8 character(alphanumeric). As this is the PDC, the SAM database resides here....If the system files can be deleted, the SAM database can also be extracted and the userids and passwords can be cracked with many available hacking tools (eg: LC4).

Do treat this as a security threat, because imho it is...(based on your symptoms)...

> Lucky for us that this is no critical server. We have al important data and apps stored on the BDC. So everyone can still
> continue working. We just really wanna know what the cause of this all is.

You are mistaken if you think that a PDC is no critical server. It's the heart of the network.
Do consult a security expert to look into this...Good Luck.
0
 
LVL 7

Expert Comment

by:shahrial
ID: 10859472
0
 

Author Comment

by:FeikeOnline
ID: 10859484
To be honest i don't think it would matter if I re-format the entire sytem en install everything again.
This because we changed server / servername / ip-adress after the first crash. We also installed a new PDC server from the beginning on.
Off course it alsways better to re-format te server and start all over again. The only thing is that we have to upgrade our BDC to a  PDC to keep the SAM db. Then we can install a whole new fresh BDC. The problem then is that our new PDC is the server wich all data and apps is stored on. If the new PDC gets hit then ( as it happened before ) then we have a bigger problem, because no-one can work anymore.

Anyway thank you for taking the time for being busy with this problem. I'll hope that maby someone else is recognizing this issue.

0
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

 
LVL 4

Assisted Solution

by:andydis
andydis earned 100 total points
ID: 10861033
i agree with the above, your NT has been compromised and some hacker has just had a laugh,
yes you have changed the ip and name but there are ways round that in our days :-(

do u have backup tapes?
what firewall do you have?


0
 

Author Comment

by:FeikeOnline
ID: 10862099
Yes I have backup tapes. We make a full backup every night with backup exec 9.0.  The type of firewall we use is unknown. This because we make a part of a worldwide network. The people wich control the WAN can not help us. We us a proxyserver wich is placed in France. So there is the firewall. We dont us firewalls between LAN - LAN. only WAN - INTERNET.

Can you tell me some more details about NT has been comprimized?

tnx
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 100 total points
ID: 10863647
Sounds like someone knows your admin account and password... ?
Is there really any feasible way that someone from the outside can connect to your PDC ?  
If so, why ??  I'm sure there are more fruitful targets in your organisation !!
I would recommend changing the password of all your domain admins, to be doubly sure.
Also, is there anything in the event logs ?  How about you setup file-level auditing to try and work out which user account is causing this ?
Otherwise, upgrade to W2K.  NT has had its day...  :(
In my several years of NT troubleshooting, I've never seen anything like this !!
0
 
LVL 7

Accepted Solution

by:
shahrial earned 300 total points
ID: 10864378
> I'll hope that maby someone else is recognizing this issue.

The issue had been recognised. The question would be what are you going to do about it.?
You should use a firewall for LAN to LAN. It would be helpful in isolating the issue.
In my office (regional hq), we are running multiple LAN to LAN configurations to our branch office and HQ. All with a firewall
in place.

> Can you tell me some more details about NT has been compromized?

Normally PDC are hardened to allow only services that are required to run. All others not used is disabled and seldom used, set to manual. Ensure that patch level for NT4.0 Server is kept at SP6a, should you change any network services, re-apply the service pack.
You should go thru your network user list to identify any new user created. Ultimately, change all admins userids and passwords. For the users, change their password.
If the SAM database had been exported out, most of the password would be invalid, if you do the change.  
Also check your services with unfamiliar services running. Also compare the services size running. Normally hackers use backdoor programs which are named similar to actual service to prevent/reduce detection rate.

See the link below on Securing a compromised Microsoft Windows NT or 2000 Server.
http://www.utexas.edu/computer/security/news/iis_hole.html

Hope this helps...
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this increasingly digital world, security hacks are no longer just a threat, but a reality. As we've witnessed with Target's big identity hack 2013, Heartbleed in 2015, and now Cloudbleed, companies and their leaders need to prepare for the unthi…
The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question