Password reset itself on its own

I am in a school district that has approx 5 servers running Server 2003. All of the servers at the same time on the same day reset their administrator passwords to 123, which I assume is the default password.
There are only 2 of us in the entire network that would know how to do this at all, and neither of us did it obviuosly.
Sounds like a virus to me, but was wondering if there was something that you guys have seen. I am not a server expert by any means.
RefugioISDAsked:
Who is Participating?
 
curryajaxConnect With a Mentor Commented:
There isn't a default password in server 2003.  If they are all on the same domain and you change the password for the administrator, it will change on all of the servers.  Sounds like somebody reset the password, or perhaps you have a password policy that insists you change the password every month or so and someone just punched in 123?
0
 
oldPCguyCommented:
It sounds like you are referring to the local server Administrator accounts. If this is the case you may have a serious security problem. You will want to look at all the running processes and verify them. Run an full AV scan on all of the servers and get a good rootkit revealer. Check the system registries for run and runonce entries, etc .... basically a full security audit.
Unfortunately, schools tend to be a playground for wanna-be hackers.
0
 
RefugioISDAuthor Commented:
On the same subject, when I try to remote in using Remote Desktop Connection, I now get this error..."The remote session was disconnected becasue the local computer's client access license could not be upgraded or renewed. Please contact the server administrator."
This happened at the same time as the password reset.

curryajax - I agree that it looks like someone changed it, but no one here as a clue on how to do that except me.
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

 
oldPCguyCommented:
Everyone that logs onto your network is a potential security threat - no matter what their knowledge level. All it takes is for someone to click a malicious web link and click yes a few times.

As far as the TS error: check out ....
http://technet2.microsoft.com/windowsserver/en/library/159e6ff8-4edb-43fd-8767-3d9858897e2c1033.mspx?mfr=true
0
 
curryajaxCommented:
On the remote desktop, what mode is the terminal server set to?  Per device or per cal?  If the mode is set to something different than the licensing server, it will only issue temporary licenses.

As for the password, if it's the local account then I agree with oldPCguy.  Is it a grade school?  If it's junior high or above, then I'm sure most of the kids know more about 2003 than microsoft.
0
 
RefugioISDAuthor Commented:
Im a little confused on what thing. I am talking about the District Wide administrator password. I do not know of a local password for each server box, just the domain password for the administartor.
0
 
3_SCommented:
Check to see if there has been added a user to the domain admins group of your domain. If someone managed to get in that group he can change the domain administrator password. (with some kind of script or interactive)
0
 
jdewaardCommented:
Are you in a domain environment or are they all just member servers?  If you are in a domain environment, are there multiple domain controllers?  Are the passwords changing consistently?  Like every Monday at 2:00 or something.

0
 
jdewaardCommented:
Oh nm I guess I should have read all posts.  Check your task scheduler for any suspicious batch files.  I know that it's possible to use the netdom command to change the admin password from the command prompt.  Someone could create a batch file that changes the password and then set it to run every week or month or whatever.  
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.