Solved

Unknown User Account with Administrative Privilege!

Posted on 2006-10-21
8
460 Views
Last Modified: 2012-08-14
I just found an unknown user account called admin belongs to the administrative group. Seems like some one has got into my server and created the account.

I am the only user and i use remote desktop to access to my server most of the time. The password i use were quite lengthy about 15 alpha numeric characters.

My questions is,

1) How did he break into my server and created a new user?
2) I have deleted the unknown account, changed my password and restarted the server. What should i do to further secure the server?
0
Comment
Question by:edwardkoo
8 Comments
 
LVL 10

Expert Comment

by:victornegri
ID: 17780740
You can enable logging to track Account Management Successes and Failures to see if someone creates another account without your knowledge. You should also check for Logon Events to see if someone is attempting to crack a password.
0
 
LVL 9

Expert Comment

by:binary_1001010
ID: 17780755
you should reset your passowrd to a more complex one, a non-dictionary word with combination of small case, big case and number.

you should install all the latest patches.

you should also at least install anti-virus/firewall software if you dont have  a budget to purchase a   hardware one.
0
 
LVL 5

Expert Comment

by:hbz
ID: 17781022

You should at least try to do some virus / trojan /rootkit scans, examining the registry, etc, but...

VERY IMPORTANT: You will never be able to be sure that the server is clean.  Some attacks can be completely hidden.  From here on out, you must assume that your machine has been hacked.  

If you are uncomfortable with this fact, move all data off the server, and set up a new one.  Then do forensics on the old hard drive (same scans as above, but anything that was hidden before will be more likely to show up).

I have gone through this scenario before, unfortunately.  The attacker likely got in through other unpatched / vulnerable services running on your machine (IIS, SQL, mail, etc).

-- hbz
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17782828
there isnt much more that you can do.....if you have deleted the account and changed your passwords then thats it. the account may have been created from years ago.....enable auditing and download teh account lockout tools from MS.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 5

Expert Comment

by:Christophermagee
ID: 17786401
Another possibility is that it was created when you were not at your desk, You might have already been logged into the server so your password would not be needed, or they could have loaded something like a keylogger to obtain the password.
0
 

Author Comment

by:edwardkoo
ID: 17786678
I have done the virus / trojan /rootkit scans and found nothing so far.

The server is a rented dedicated server where i only access it via remote desktop occasionally like when a new windows patch is available and etc. It runs apache, php, mysql, mailenable, encrypted-ftp and that's it.

The password i use is 15 alpha numeric characters so i don't think he manage to crack it can he? And the keylogger has to be loaded at the pc that i use remote desktop right? Is typical windows server too vulnerable or hackers are too good nowadays? And i can't figure why a good hacker will want to hack my server in the first place.

It frustrates me that i don't know which part of the server having security holes now...
0
 
LVL 5

Accepted Solution

by:
hbz earned 500 total points
ID: 17790174

It's unlikely that it's your password.  I bet it's MailEnable. Are you running Professional or Enterprise?  Which version.  If you look on their site, you'll see some recent vulnerabilities (and hotfixes).  Some of these are exploited by automated tools.

-- hbz
0
 

Author Comment

by:edwardkoo
ID: 17800799
Yea seems MailEnable is the most likely.
Thank you all for the comments.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now