Solved

Help!  It seems as if our Windows Server Machine has been hacked... Administrator Password Changed

Posted on 2004-04-20
7
278 Views
Last Modified: 2010-04-26
I am running a Windows 2000 Server and until yesterday everything was fine.  I won't go into the details about why I didn't have a firewall or a good virus software installed but I don't.  Now when I try to log on to the machine the administrator account or password has been changed/disabled whatever.  Bottom line is I can't access the computer. It boots up fine and is running the web service but I can't get in  There has to be a way to get in if the damn hackers did.  Any ideas?
0
Comment
Question by:kkirt1
7 Comments
 
LVL 67

Accepted Solution

by:
sirbounty earned 500 total points
ID: 10874270

To restore your system to the default Administrator with no password:
  Download a boot disk from here: http://www.bootdisk.com/bootdisk.htm
  Use the downloaded image to create the boot disk.  Then boot up your system from this disk.
  Now navigate to %systemroot%\system32\config on your hard drive,
  Rename sam.log (by typing REN SAM.LOG SAMLOG.ORG) and rename sam.exe (by typing REN SAM.EXE SAMEXE.ORG)
  Now when you boot up the password on your built-in administrator account will be blank (No password).
  This solution works only if your hard drive is FAT.

   ref: http://windows.about.com/library/tips/bltip115.htm

Also check this:
  http://www.winnetmag.com/Article/ArticleID/14729/14729.html
  http://www.thomasmathiesen.com/itak/html/software.html
0
 
LVL 9

Expert Comment

by:Jerry_Pang
ID: 10874504
i wonder if you could just do a restore point. disadvantge is that you will loose some of the current configuration. anyways, i found an interesting link. just check it out.
i havnt tried this myself yet.
FROM http://www.petri.co.il/forgot_administrator_password.htm
How can I reset the administrator's password if I forgot it?
Free Tools
Free Windows password-cracking tools are usually Linux boot disks that have NT file system drivers and software that will read the registry and rewrite the password hashes for any account including the Administrators. This process requires physical access to the console and an available floppy drive but it works like a charm! I've done it myself several times with no glitch or problem whatsoever.

Here are three of these free tools:

Petter Nordahl-Hagen's Offline NT Password & Registry Editor
http://www.petri.co.il/forgot_administrator_password.htm#1

Openwall's John the Ripper
http://www.petri.co.il/forgot_administrator_password.htm#2

EBCD – Emergency Boot CD
http://www.petri.co.il/forgot_administrator_password.htm#3


In EE, i found this
http://www.experts-exchange.com/Operating_Systems/Win2000/Q_20728321.html

Found another link, seems to suggest linux boot same as my first suggestion
I have forgotten my Windows 2000 or Windows XP administrator or user password. What do I do?
http://www.fas.harvard.edu/computing/kb/kb0747.html

It is a problem realy especialy if its ntfs
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10874513
Additional tools from this PAQ: http:Q_20348448.html
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 5

Expert Comment

by:mlynch24
ID: 10874550
I used this solution with positive results on W2K Pro/Svr and XPP.

http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html
0
 
LVL 8

Expert Comment

by:RLGSC
ID: 10874672
KKirt1,

IMPORTANT. Before doing anything, get a drive imaging program and image the drives onto spares.

Then experiment with the copy. It is VERY easy to accidentally make things worse. I seriously recommend getting someone with experience (or at least a good deal of patience and internals work) to work on this. I have encountered many situations where the severe damage has occurred in attempting to repair the damage.

If people are willing to do this type of work on a shystem without working on a copy, I would recommend not doing this.
Also, what is the state of your backups? Additionally, consider that the hacker may have been in the machine for an extended period. Careful examination of your files (and a clean installation) is in order.

- Bob (aka RLGSC)
0
 
LVL 9

Expert Comment

by:ChrisSchumann
ID: 10881360
You should do a repair install of the operating system, while it's not on a network. Once that's done, get it on the internet behind a firewall or router and get the latest security updates. Install anti-virus. Remove all unneeded accounts.

You should be able to restore from backup, but you don't know how long someone's been in your system, so a re-install will be needed. If you don't do backups, now is a good time to start.

And please remember that someone has your old administrator password so choose a new good one.
0
 

Author Comment

by:kkirt1
ID: 10905762
Thanks for all of the comments.  We ended up hiring someone to reset it since I wasn't comfortable hacking into the sam file.  Thanks!
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Rasberry PI is a low cost piece of hardware that you can have a lot of fun with through experimenting and building/working on projects like media players, running a low cost computer, build data loggers etc. - see: https://www.raspberrypi.org
I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question