Posted on 2004-08-12
About 4 days ago I had a bunch of failure audits with Event ID 627 in my Security Logs, as well as few success audits with Event ID 642 saying user account changed for the administrator account. I am pretty sure this happened through remote access channels and/or using null sessions. I had an almost 128 bit long passphrase for the administrator account -- so it did not seem susceptible to "dictionary" style attack or even brute force attack unless somebody used a sniffer to monitor the traffic between my laptop and the server whenever I would administer the server remotely through windows RDP & I did that quite often. All this happened even though I have a hardware & a software firewall.
I have completely reformatted the server (running Windows 2003 Enterprise) three times, disabled the null sessions/admin share in the registry, disabled netbios & set deny access to the computer from the network in my security policies,& enabled port filtering.
My question is: How safe is it use to my visual studio solutions & project files with code behind & image files that I copied from the server before I reformatted it? Also, can I use the sql server database that I backed up before I reformatted the server, and restore it on the newly built system? Is there any possibility that the attacker might have "embedded" some hidden files in my Visual Studion solutions & project files, as well my sql server database, so that my copied VS solutions & the database backup are somehow "infected"? Will I need to completely rebuild my database from scratch as well as my visual studio projects on the newly built system instead of using the ones that I copied?
PS: On second thoughts, could this have been the MBSA I had used that day on the system that generated all these security log events? If that is true, then the whole reformatting was an exercise in futility! But why would MBSA try to change my administrator account ( although it did have the username as "Administrator") when I had a terribly long and complex passphrase? Besides the pop3 accounts on the local system -- these accounts do not have logon privileges on the local system -- it also played with my guest, support, and ASP.NET account, although the first two were disabled. All the security log events with failure audits happened within 10 seconds & repeated again after three hours. I am not sure if I used the MBSA at the same time these log events were recorded. confused.