Solved

Help!  It seems as if our Windows Server Machine has been hacked... Administrator Password Changed

Posted on 2004-04-20
7
276 Views
Last Modified: 2010-04-26
I am running a Windows 2000 Server and until yesterday everything was fine.  I won't go into the details about why I didn't have a firewall or a good virus software installed but I don't.  Now when I try to log on to the machine the administrator account or password has been changed/disabled whatever.  Bottom line is I can't access the computer. It boots up fine and is running the web service but I can't get in  There has to be a way to get in if the damn hackers did.  Any ideas?
0
Comment
Question by:kkirt1
7 Comments
 
LVL 67

Accepted Solution

by:
sirbounty earned 500 total points
ID: 10874270

To restore your system to the default Administrator with no password:
  Download a boot disk from here: http://www.bootdisk.com/bootdisk.htm
  Use the downloaded image to create the boot disk.  Then boot up your system from this disk.
  Now navigate to %systemroot%\system32\config on your hard drive,
  Rename sam.log (by typing REN SAM.LOG SAMLOG.ORG) and rename sam.exe (by typing REN SAM.EXE SAMEXE.ORG)
  Now when you boot up the password on your built-in administrator account will be blank (No password).
  This solution works only if your hard drive is FAT.

   ref: http://windows.about.com/library/tips/bltip115.htm

Also check this:
  http://www.winnetmag.com/Article/ArticleID/14729/14729.html
  http://www.thomasmathiesen.com/itak/html/software.html
0
 
LVL 9

Expert Comment

by:Jerry_Pang
ID: 10874504
i wonder if you could just do a restore point. disadvantge is that you will loose some of the current configuration. anyways, i found an interesting link. just check it out.
i havnt tried this myself yet.
FROM http://www.petri.co.il/forgot_administrator_password.htm
How can I reset the administrator's password if I forgot it?
Free Tools
Free Windows password-cracking tools are usually Linux boot disks that have NT file system drivers and software that will read the registry and rewrite the password hashes for any account including the Administrators. This process requires physical access to the console and an available floppy drive but it works like a charm! I've done it myself several times with no glitch or problem whatsoever.

Here are three of these free tools:

Petter Nordahl-Hagen's Offline NT Password & Registry Editor
http://www.petri.co.il/forgot_administrator_password.htm#1

Openwall's John the Ripper
http://www.petri.co.il/forgot_administrator_password.htm#2

EBCD – Emergency Boot CD
http://www.petri.co.il/forgot_administrator_password.htm#3


In EE, i found this
http://www.experts-exchange.com/Operating_Systems/Win2000/Q_20728321.html

Found another link, seems to suggest linux boot same as my first suggestion
I have forgotten my Windows 2000 or Windows XP administrator or user password. What do I do?
http://www.fas.harvard.edu/computing/kb/kb0747.html

It is a problem realy especialy if its ntfs
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10874513
Additional tools from this PAQ: http:Q_20348448.html
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 5

Expert Comment

by:mlynch24
ID: 10874550
I used this solution with positive results on W2K Pro/Svr and XPP.

http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html
0
 
LVL 8

Expert Comment

by:RLGSC
ID: 10874672
KKirt1,

IMPORTANT. Before doing anything, get a drive imaging program and image the drives onto spares.

Then experiment with the copy. It is VERY easy to accidentally make things worse. I seriously recommend getting someone with experience (or at least a good deal of patience and internals work) to work on this. I have encountered many situations where the severe damage has occurred in attempting to repair the damage.

If people are willing to do this type of work on a shystem without working on a copy, I would recommend not doing this.
Also, what is the state of your backups? Additionally, consider that the hacker may have been in the machine for an extended period. Careful examination of your files (and a clean installation) is in order.

- Bob (aka RLGSC)
0
 
LVL 9

Expert Comment

by:ChrisSchumann
ID: 10881360
You should do a repair install of the operating system, while it's not on a network. Once that's done, get it on the internet behind a firewall or router and get the latest security updates. Install anti-virus. Remove all unneeded accounts.

You should be able to restore from backup, but you don't know how long someone's been in your system, so a re-install will be needed. If you don't do backups, now is a good time to start.

And please remember that someone has your old administrator password so choose a new good one.
0
 

Author Comment

by:kkirt1
ID: 10905762
Thanks for all of the comments.  We ended up hiring someone to reset it since I wasn't comfortable hacking into the sam file.  Thanks!
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Display Port: Not Working on Dell P2214H LCD Monitor 6 84
Managing unpatched virtual machines 5 72
2v or 4v 4 55
Thoroughly Clean Mac Pro Mid 2012 8 55
this article is a guided solution for most of the common server issues in server hardware tasks we are facing in our routine job works. the topics in the following article covered are, 1) dell hardware raidlevel (Perc) 2) adding HDD 3) how t…
Monitor input from a computer is usually nothing special.  In this instance it prevented anyone from using the computer.  This was a preconfiguration that didn't work.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now