Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Unknown User Account with Administrative Privilege!

Posted on 2006-10-21
8
Medium Priority
?
476 Views
Last Modified: 2012-08-14
I just found an unknown user account called admin belongs to the administrative group. Seems like some one has got into my server and created the account.

I am the only user and i use remote desktop to access to my server most of the time. The password i use were quite lengthy about 15 alpha numeric characters.

My questions is,

1) How did he break into my server and created a new user?
2) I have deleted the unknown account, changed my password and restarted the server. What should i do to further secure the server?
0
Comment
Question by:edwardkoo
8 Comments
 
LVL 10

Expert Comment

by:victornegri
ID: 17780740
You can enable logging to track Account Management Successes and Failures to see if someone creates another account without your knowledge. You should also check for Logon Events to see if someone is attempting to crack a password.
0
 
LVL 9

Expert Comment

by:binary_1001010
ID: 17780755
you should reset your passowrd to a more complex one, a non-dictionary word with combination of small case, big case and number.

you should install all the latest patches.

you should also at least install anti-virus/firewall software if you dont have  a budget to purchase a   hardware one.
0
 
LVL 5

Expert Comment

by:hbz
ID: 17781022

You should at least try to do some virus / trojan /rootkit scans, examining the registry, etc, but...

VERY IMPORTANT: You will never be able to be sure that the server is clean.  Some attacks can be completely hidden.  From here on out, you must assume that your machine has been hacked.  

If you are uncomfortable with this fact, move all data off the server, and set up a new one.  Then do forensics on the old hard drive (same scans as above, but anything that was hidden before will be more likely to show up).

I have gone through this scenario before, unfortunately.  The attacker likely got in through other unpatched / vulnerable services running on your machine (IIS, SQL, mail, etc).

-- hbz
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17782828
there isnt much more that you can do.....if you have deleted the account and changed your passwords then thats it. the account may have been created from years ago.....enable auditing and download teh account lockout tools from MS.
0
 
LVL 5

Expert Comment

by:Christophermagee
ID: 17786401
Another possibility is that it was created when you were not at your desk, You might have already been logged into the server so your password would not be needed, or they could have loaded something like a keylogger to obtain the password.
0
 

Author Comment

by:edwardkoo
ID: 17786678
I have done the virus / trojan /rootkit scans and found nothing so far.

The server is a rented dedicated server where i only access it via remote desktop occasionally like when a new windows patch is available and etc. It runs apache, php, mysql, mailenable, encrypted-ftp and that's it.

The password i use is 15 alpha numeric characters so i don't think he manage to crack it can he? And the keylogger has to be loaded at the pc that i use remote desktop right? Is typical windows server too vulnerable or hackers are too good nowadays? And i can't figure why a good hacker will want to hack my server in the first place.

It frustrates me that i don't know which part of the server having security holes now...
0
 
LVL 5

Accepted Solution

by:
hbz earned 1500 total points
ID: 17790174

It's unlikely that it's your password.  I bet it's MailEnable. Are you running Professional or Enterprise?  Which version.  If you look on their site, you'll see some recent vulnerabilities (and hotfixes).  Some of these are exploited by automated tools.

-- hbz
0
 

Author Comment

by:edwardkoo
ID: 17800799
Yea seems MailEnable is the most likely.
Thank you all for the comments.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
The Relationships Diagram is a good way to get an overall view of what a database is keeping track of. It is also where relationships are defined. A relationship specifies how two tables connect to each other. As you build tables in Microsoft Ac…

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question