Solved

Password reset itself on its own

Posted on 2007-12-04
10
503 Views
Last Modified: 2008-02-01
I am in a school district that has approx 5 servers running Server 2003. All of the servers at the same time on the same day reset their administrator passwords to 123, which I assume is the default password.
There are only 2 of us in the entire network that would know how to do this at all, and neither of us did it obviuosly.
Sounds like a virus to me, but was wondering if there was something that you guys have seen. I am not a server expert by any means.
0
Comment
Question by:RefugioISD
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 2

Accepted Solution

by:
curryajax earned 500 total points
ID: 20404889
There isn't a default password in server 2003.  If they are all on the same domain and you change the password for the administrator, it will change on all of the servers.  Sounds like somebody reset the password, or perhaps you have a password policy that insists you change the password every month or so and someone just punched in 123?
0
 
LVL 4

Expert Comment

by:oldPCguy
ID: 20405035
It sounds like you are referring to the local server Administrator accounts. If this is the case you may have a serious security problem. You will want to look at all the running processes and verify them. Run an full AV scan on all of the servers and get a good rootkit revealer. Check the system registries for run and runonce entries, etc .... basically a full security audit.
Unfortunately, schools tend to be a playground for wanna-be hackers.
0
 

Author Comment

by:RefugioISD
ID: 20405106
On the same subject, when I try to remote in using Remote Desktop Connection, I now get this error..."The remote session was disconnected becasue the local computer's client access license could not be upgraded or renewed. Please contact the server administrator."
This happened at the same time as the password reset.

curryajax - I agree that it looks like someone changed it, but no one here as a clue on how to do that except me.
0
 
LVL 4

Expert Comment

by:oldPCguy
ID: 20405208
Everyone that logs onto your network is a potential security threat - no matter what their knowledge level. All it takes is for someone to click a malicious web link and click yes a few times.

As far as the TS error: check out ....
http://technet2.microsoft.com/windowsserver/en/library/159e6ff8-4edb-43fd-8767-3d9858897e2c1033.mspx?mfr=true
0
 
LVL 2

Expert Comment

by:curryajax
ID: 20405233
On the remote desktop, what mode is the terminal server set to?  Per device or per cal?  If the mode is set to something different than the licensing server, it will only issue temporary licenses.

As for the password, if it's the local account then I agree with oldPCguy.  Is it a grade school?  If it's junior high or above, then I'm sure most of the kids know more about 2003 than microsoft.
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 2

Expert Comment

by:curryajax
ID: 20405244
0
 

Author Comment

by:RefugioISD
ID: 20405300
Im a little confused on what thing. I am talking about the District Wide administrator password. I do not know of a local password for each server box, just the domain password for the administartor.
0
 
LVL 10

Expert Comment

by:3_S
ID: 20405473
Check to see if there has been added a user to the domain admins group of your domain. If someone managed to get in that group he can change the domain administrator password. (with some kind of script or interactive)
0
 
LVL 2

Expert Comment

by:jdewaard
ID: 20407307
Are you in a domain environment or are they all just member servers?  If you are in a domain environment, are there multiple domain controllers?  Are the passwords changing consistently?  Like every Monday at 2:00 or something.

0
 
LVL 2

Expert Comment

by:jdewaard
ID: 20407341
Oh nm I guess I should have read all posts.  Check your task scheduler for any suspicious batch files.  I know that it's possible to use the netdom command to change the admin password from the command prompt.  Someone could create a batch file that changes the password and then set it to run every week or month or whatever.  
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn about cloud computing and its benefits for small business owners.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now