• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 291
  • Last Modified:

Help! It seems as if our Windows Server Machine has been hacked... Administrator Password Changed

I am running a Windows 2000 Server and until yesterday everything was fine.  I won't go into the details about why I didn't have a firewall or a good virus software installed but I don't.  Now when I try to log on to the machine the administrator account or password has been changed/disabled whatever.  Bottom line is I can't access the computer. It boots up fine and is running the web service but I can't get in  There has to be a way to get in if the damn hackers did.  Any ideas?
1 Solution

To restore your system to the default Administrator with no password:
  Download a boot disk from here: http://www.bootdisk.com/bootdisk.htm
  Use the downloaded image to create the boot disk.  Then boot up your system from this disk.
  Now navigate to %systemroot%\system32\config on your hard drive,
  Rename sam.log (by typing REN SAM.LOG SAMLOG.ORG) and rename sam.exe (by typing REN SAM.EXE SAMEXE.ORG)
  Now when you boot up the password on your built-in administrator account will be blank (No password).
  This solution works only if your hard drive is FAT.

   ref: http://windows.about.com/library/tips/bltip115.htm

Also check this:
i wonder if you could just do a restore point. disadvantge is that you will loose some of the current configuration. anyways, i found an interesting link. just check it out.
i havnt tried this myself yet.
FROM http://www.petri.co.il/forgot_administrator_password.htm
How can I reset the administrator's password if I forgot it?
Free Tools
Free Windows password-cracking tools are usually Linux boot disks that have NT file system drivers and software that will read the registry and rewrite the password hashes for any account including the Administrators. This process requires physical access to the console and an available floppy drive but it works like a charm! I've done it myself several times with no glitch or problem whatsoever.

Here are three of these free tools:

Petter Nordahl-Hagen's Offline NT Password & Registry Editor

Openwall's John the Ripper

EBCD – Emergency Boot CD

In EE, i found this

Found another link, seems to suggest linux boot same as my first suggestion
I have forgotten my Windows 2000 or Windows XP administrator or user password. What do I do?

It is a problem realy especialy if its ntfs
Additional tools from this PAQ: http:Q_20348448.html
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

I used this solution with positive results on W2K Pro/Svr and XPP.


IMPORTANT. Before doing anything, get a drive imaging program and image the drives onto spares.

Then experiment with the copy. It is VERY easy to accidentally make things worse. I seriously recommend getting someone with experience (or at least a good deal of patience and internals work) to work on this. I have encountered many situations where the severe damage has occurred in attempting to repair the damage.

If people are willing to do this type of work on a shystem without working on a copy, I would recommend not doing this.
Also, what is the state of your backups? Additionally, consider that the hacker may have been in the machine for an extended period. Careful examination of your files (and a clean installation) is in order.

- Bob (aka RLGSC)
You should do a repair install of the operating system, while it's not on a network. Once that's done, get it on the internet behind a firewall or router and get the latest security updates. Install anti-virus. Remove all unneeded accounts.

You should be able to restore from backup, but you don't know how long someone's been in your system, so a re-install will be needed. If you don't do backups, now is a good time to start.

And please remember that someone has your old administrator password so choose a new good one.
kkirt1Author Commented:
Thanks for all of the comments.  We ended up hiring someone to reset it since I wasn't comfortable hacking into the sam file.  Thanks!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now