Solved

Password reset itself on its own

Posted on 2007-12-04
10
493 Views
Last Modified: 2008-02-01
I am in a school district that has approx 5 servers running Server 2003. All of the servers at the same time on the same day reset their administrator passwords to 123, which I assume is the default password.
There are only 2 of us in the entire network that would know how to do this at all, and neither of us did it obviuosly.
Sounds like a virus to me, but was wondering if there was something that you guys have seen. I am not a server expert by any means.
0
Comment
Question by:RefugioISD
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 2

Accepted Solution

by:
curryajax earned 500 total points
ID: 20404889
There isn't a default password in server 2003.  If they are all on the same domain and you change the password for the administrator, it will change on all of the servers.  Sounds like somebody reset the password, or perhaps you have a password policy that insists you change the password every month or so and someone just punched in 123?
0
 
LVL 4

Expert Comment

by:oldPCguy
ID: 20405035
It sounds like you are referring to the local server Administrator accounts. If this is the case you may have a serious security problem. You will want to look at all the running processes and verify them. Run an full AV scan on all of the servers and get a good rootkit revealer. Check the system registries for run and runonce entries, etc .... basically a full security audit.
Unfortunately, schools tend to be a playground for wanna-be hackers.
0
 

Author Comment

by:RefugioISD
ID: 20405106
On the same subject, when I try to remote in using Remote Desktop Connection, I now get this error..."The remote session was disconnected becasue the local computer's client access license could not be upgraded or renewed. Please contact the server administrator."
This happened at the same time as the password reset.

curryajax - I agree that it looks like someone changed it, but no one here as a clue on how to do that except me.
0
 
LVL 4

Expert Comment

by:oldPCguy
ID: 20405208
Everyone that logs onto your network is a potential security threat - no matter what their knowledge level. All it takes is for someone to click a malicious web link and click yes a few times.

As far as the TS error: check out ....
http://technet2.microsoft.com/windowsserver/en/library/159e6ff8-4edb-43fd-8767-3d9858897e2c1033.mspx?mfr=true
0
 
LVL 2

Expert Comment

by:curryajax
ID: 20405233
On the remote desktop, what mode is the terminal server set to?  Per device or per cal?  If the mode is set to something different than the licensing server, it will only issue temporary licenses.

As for the password, if it's the local account then I agree with oldPCguy.  Is it a grade school?  If it's junior high or above, then I'm sure most of the kids know more about 2003 than microsoft.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 2

Expert Comment

by:curryajax
ID: 20405244
0
 

Author Comment

by:RefugioISD
ID: 20405300
Im a little confused on what thing. I am talking about the District Wide administrator password. I do not know of a local password for each server box, just the domain password for the administartor.
0
 
LVL 10

Expert Comment

by:3_S
ID: 20405473
Check to see if there has been added a user to the domain admins group of your domain. If someone managed to get in that group he can change the domain administrator password. (with some kind of script or interactive)
0
 
LVL 2

Expert Comment

by:jdewaard
ID: 20407307
Are you in a domain environment or are they all just member servers?  If you are in a domain environment, are there multiple domain controllers?  Are the passwords changing consistently?  Like every Monday at 2:00 or something.

0
 
LVL 2

Expert Comment

by:jdewaard
ID: 20407341
Oh nm I guess I should have read all posts.  Check your task scheduler for any suspicious batch files.  I know that it's possible to use the netdom command to change the admin password from the command prompt.  Someone could create a batch file that changes the password and then set it to run every week or month or whatever.  
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
Know what services you can and cannot, should and should not combine on your server.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now