Solved

Password reset itself on its own

Posted on 2007-12-04
10
535 Views
Last Modified: 2008-02-01
I am in a school district that has approx 5 servers running Server 2003. All of the servers at the same time on the same day reset their administrator passwords to 123, which I assume is the default password.
There are only 2 of us in the entire network that would know how to do this at all, and neither of us did it obviuosly.
Sounds like a virus to me, but was wondering if there was something that you guys have seen. I am not a server expert by any means.
0
Comment
Question by:RefugioISD
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 2

Accepted Solution

by:
curryajax earned 500 total points
ID: 20404889
There isn't a default password in server 2003.  If they are all on the same domain and you change the password for the administrator, it will change on all of the servers.  Sounds like somebody reset the password, or perhaps you have a password policy that insists you change the password every month or so and someone just punched in 123?
0
 
LVL 4

Expert Comment

by:oldPCguy
ID: 20405035
It sounds like you are referring to the local server Administrator accounts. If this is the case you may have a serious security problem. You will want to look at all the running processes and verify them. Run an full AV scan on all of the servers and get a good rootkit revealer. Check the system registries for run and runonce entries, etc .... basically a full security audit.
Unfortunately, schools tend to be a playground for wanna-be hackers.
0
 

Author Comment

by:RefugioISD
ID: 20405106
On the same subject, when I try to remote in using Remote Desktop Connection, I now get this error..."The remote session was disconnected becasue the local computer's client access license could not be upgraded or renewed. Please contact the server administrator."
This happened at the same time as the password reset.

curryajax - I agree that it looks like someone changed it, but no one here as a clue on how to do that except me.
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 4

Expert Comment

by:oldPCguy
ID: 20405208
Everyone that logs onto your network is a potential security threat - no matter what their knowledge level. All it takes is for someone to click a malicious web link and click yes a few times.

As far as the TS error: check out ....
http://technet2.microsoft.com/windowsserver/en/library/159e6ff8-4edb-43fd-8767-3d9858897e2c1033.mspx?mfr=true
0
 
LVL 2

Expert Comment

by:curryajax
ID: 20405233
On the remote desktop, what mode is the terminal server set to?  Per device or per cal?  If the mode is set to something different than the licensing server, it will only issue temporary licenses.

As for the password, if it's the local account then I agree with oldPCguy.  Is it a grade school?  If it's junior high or above, then I'm sure most of the kids know more about 2003 than microsoft.
0
 
LVL 2

Expert Comment

by:curryajax
ID: 20405244
0
 

Author Comment

by:RefugioISD
ID: 20405300
Im a little confused on what thing. I am talking about the District Wide administrator password. I do not know of a local password for each server box, just the domain password for the administartor.
0
 
LVL 10

Expert Comment

by:3_S
ID: 20405473
Check to see if there has been added a user to the domain admins group of your domain. If someone managed to get in that group he can change the domain administrator password. (with some kind of script or interactive)
0
 
LVL 2

Expert Comment

by:jdewaard
ID: 20407307
Are you in a domain environment or are they all just member servers?  If you are in a domain environment, are there multiple domain controllers?  Are the passwords changing consistently?  Like every Monday at 2:00 or something.

0
 
LVL 2

Expert Comment

by:jdewaard
ID: 20407341
Oh nm I guess I should have read all posts.  Check your task scheduler for any suspicious batch files.  I know that it's possible to use the netdom command to change the admin password from the command prompt.  Someone could create a batch file that changes the password and then set it to run every week or month or whatever.  
0

Featured Post

How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Know what services you can and cannot, should and should not combine on your server.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question