Solved

Help!  It seems as if our Windows Server Machine has been hacked... Administrator Password Changed

Posted on 2004-04-20
7
275 Views
Last Modified: 2010-04-26
I am running a Windows 2000 Server and until yesterday everything was fine.  I won't go into the details about why I didn't have a firewall or a good virus software installed but I don't.  Now when I try to log on to the machine the administrator account or password has been changed/disabled whatever.  Bottom line is I can't access the computer. It boots up fine and is running the web service but I can't get in  There has to be a way to get in if the damn hackers did.  Any ideas?
0
Comment
Question by:kkirt1
7 Comments
 
LVL 67

Accepted Solution

by:
sirbounty earned 500 total points
ID: 10874270

To restore your system to the default Administrator with no password:
  Download a boot disk from here: http://www.bootdisk.com/bootdisk.htm
  Use the downloaded image to create the boot disk.  Then boot up your system from this disk.
  Now navigate to %systemroot%\system32\config on your hard drive,
  Rename sam.log (by typing REN SAM.LOG SAMLOG.ORG) and rename sam.exe (by typing REN SAM.EXE SAMEXE.ORG)
  Now when you boot up the password on your built-in administrator account will be blank (No password).
  This solution works only if your hard drive is FAT.

   ref: http://windows.about.com/library/tips/bltip115.htm

Also check this:
  http://www.winnetmag.com/Article/ArticleID/14729/14729.html
  http://www.thomasmathiesen.com/itak/html/software.html
0
 
LVL 9

Expert Comment

by:Jerry_Pang
ID: 10874504
i wonder if you could just do a restore point. disadvantge is that you will loose some of the current configuration. anyways, i found an interesting link. just check it out.
i havnt tried this myself yet.
FROM http://www.petri.co.il/forgot_administrator_password.htm
How can I reset the administrator's password if I forgot it?
Free Tools
Free Windows password-cracking tools are usually Linux boot disks that have NT file system drivers and software that will read the registry and rewrite the password hashes for any account including the Administrators. This process requires physical access to the console and an available floppy drive but it works like a charm! I've done it myself several times with no glitch or problem whatsoever.

Here are three of these free tools:

Petter Nordahl-Hagen's Offline NT Password & Registry Editor
http://www.petri.co.il/forgot_administrator_password.htm#1

Openwall's John the Ripper
http://www.petri.co.il/forgot_administrator_password.htm#2

EBCD – Emergency Boot CD
http://www.petri.co.il/forgot_administrator_password.htm#3


In EE, i found this
http://www.experts-exchange.com/Operating_Systems/Win2000/Q_20728321.html

Found another link, seems to suggest linux boot same as my first suggestion
I have forgotten my Windows 2000 or Windows XP administrator or user password. What do I do?
http://www.fas.harvard.edu/computing/kb/kb0747.html

It is a problem realy especialy if its ntfs
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10874513
Additional tools from this PAQ: http:Q_20348448.html
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 5

Expert Comment

by:mlynch24
ID: 10874550
I used this solution with positive results on W2K Pro/Svr and XPP.

http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html
0
 
LVL 8

Expert Comment

by:RLGSC
ID: 10874672
KKirt1,

IMPORTANT. Before doing anything, get a drive imaging program and image the drives onto spares.

Then experiment with the copy. It is VERY easy to accidentally make things worse. I seriously recommend getting someone with experience (or at least a good deal of patience and internals work) to work on this. I have encountered many situations where the severe damage has occurred in attempting to repair the damage.

If people are willing to do this type of work on a shystem without working on a copy, I would recommend not doing this.
Also, what is the state of your backups? Additionally, consider that the hacker may have been in the machine for an extended period. Careful examination of your files (and a clean installation) is in order.

- Bob (aka RLGSC)
0
 
LVL 9

Expert Comment

by:ChrisSchumann
ID: 10881360
You should do a repair install of the operating system, while it's not on a network. Once that's done, get it on the internet behind a firewall or router and get the latest security updates. Install anti-virus. Remove all unneeded accounts.

You should be able to restore from backup, but you don't know how long someone's been in your system, so a re-install will be needed. If you don't do backups, now is a good time to start.

And please remember that someone has your old administrator password so choose a new good one.
0
 

Author Comment

by:kkirt1
ID: 10905762
Thanks for all of the comments.  We ended up hiring someone to reset it since I wasn't comfortable hacking into the sam file.  Thanks!
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

I recently purchased an HP EliteBook 2540p notebook/laptop. It has two video ports on it – VGA and DisplayPort. HP offers an optional docking station for the 2540p that also has both a VGA port and a DisplayPort. There are numerous online reports do…
What do we know about Legacy Video Conferencing? - Full IT support needed! - Complicated systems at outrageous prices! - Intense training required! Highfive believes we need to embrace a new alternative.
This video discusses moving either the default database or any database to a new volume.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now