Solved

Help!  It seems as if our Windows Server Machine has been hacked... Administrator Password Changed

Posted on 2004-04-20
7
279 Views
Last Modified: 2010-04-26
I am running a Windows 2000 Server and until yesterday everything was fine.  I won't go into the details about why I didn't have a firewall or a good virus software installed but I don't.  Now when I try to log on to the machine the administrator account or password has been changed/disabled whatever.  Bottom line is I can't access the computer. It boots up fine and is running the web service but I can't get in  There has to be a way to get in if the damn hackers did.  Any ideas?
0
Comment
Question by:kkirt1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 67

Accepted Solution

by:
sirbounty earned 500 total points
ID: 10874270

To restore your system to the default Administrator with no password:
  Download a boot disk from here: http://www.bootdisk.com/bootdisk.htm
  Use the downloaded image to create the boot disk.  Then boot up your system from this disk.
  Now navigate to %systemroot%\system32\config on your hard drive,
  Rename sam.log (by typing REN SAM.LOG SAMLOG.ORG) and rename sam.exe (by typing REN SAM.EXE SAMEXE.ORG)
  Now when you boot up the password on your built-in administrator account will be blank (No password).
  This solution works only if your hard drive is FAT.

   ref: http://windows.about.com/library/tips/bltip115.htm

Also check this:
  http://www.winnetmag.com/Article/ArticleID/14729/14729.html
  http://www.thomasmathiesen.com/itak/html/software.html
0
 
LVL 9

Expert Comment

by:Jerry_Pang
ID: 10874504
i wonder if you could just do a restore point. disadvantge is that you will loose some of the current configuration. anyways, i found an interesting link. just check it out.
i havnt tried this myself yet.
FROM http://www.petri.co.il/forgot_administrator_password.htm
How can I reset the administrator's password if I forgot it?
Free Tools
Free Windows password-cracking tools are usually Linux boot disks that have NT file system drivers and software that will read the registry and rewrite the password hashes for any account including the Administrators. This process requires physical access to the console and an available floppy drive but it works like a charm! I've done it myself several times with no glitch or problem whatsoever.

Here are three of these free tools:

Petter Nordahl-Hagen's Offline NT Password & Registry Editor
http://www.petri.co.il/forgot_administrator_password.htm#1

Openwall's John the Ripper
http://www.petri.co.il/forgot_administrator_password.htm#2

EBCD – Emergency Boot CD
http://www.petri.co.il/forgot_administrator_password.htm#3


In EE, i found this
http://www.experts-exchange.com/Operating_Systems/Win2000/Q_20728321.html

Found another link, seems to suggest linux boot same as my first suggestion
I have forgotten my Windows 2000 or Windows XP administrator or user password. What do I do?
http://www.fas.harvard.edu/computing/kb/kb0747.html

It is a problem realy especialy if its ntfs
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10874513
Additional tools from this PAQ: http:Q_20348448.html
0
Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

 
LVL 5

Expert Comment

by:mlynch24
ID: 10874550
I used this solution with positive results on W2K Pro/Svr and XPP.

http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html
0
 
LVL 8

Expert Comment

by:RLGSC
ID: 10874672
KKirt1,

IMPORTANT. Before doing anything, get a drive imaging program and image the drives onto spares.

Then experiment with the copy. It is VERY easy to accidentally make things worse. I seriously recommend getting someone with experience (or at least a good deal of patience and internals work) to work on this. I have encountered many situations where the severe damage has occurred in attempting to repair the damage.

If people are willing to do this type of work on a shystem without working on a copy, I would recommend not doing this.
Also, what is the state of your backups? Additionally, consider that the hacker may have been in the machine for an extended period. Careful examination of your files (and a clean installation) is in order.

- Bob (aka RLGSC)
0
 
LVL 9

Expert Comment

by:ChrisSchumann
ID: 10881360
You should do a repair install of the operating system, while it's not on a network. Once that's done, get it on the internet behind a firewall or router and get the latest security updates. Install anti-virus. Remove all unneeded accounts.

You should be able to restore from backup, but you don't know how long someone's been in your system, so a re-install will be needed. If you don't do backups, now is a good time to start.

And please remember that someone has your old administrator password so choose a new good one.
0
 

Author Comment

by:kkirt1
ID: 10905762
Thanks for all of the comments.  We ended up hiring someone to reset it since I wasn't comfortable hacking into the sam file.  Thanks!
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What do we know about Legacy Video Conferencing? - Full IT support needed! - Complicated systems at outrageous prices! - Intense training required! Highfive believes we need to embrace a new alternative.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question