Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 470
  • Last Modified:

Possible Compromised Server

I have found several accounts randomly popping up in ADUC on one of my managed SBS 2003 box - I have changed the p/w & disabled these accounts (or deleted them if I know they are bogus). Also, lately this server has had strange operational problems, and is also having trouble sending mail to certain domains, so I fear that the box may be compromised and/or has been turned into a zombie! :-(

Question: Does anybody have any good (and free) tools I could use to determine if one of my servers has been compromised and/or is being controlled by an "outside" party?

1 Solution
There's a few ways.

One way is to perform an nmap scan on your server to see which ports are open.  You'll also want to see if your server is listed in any spam databases.  Go to: and type in the public IP of your mail server.  

You'll also want to check, immediately, which accounts have membership in ANY of your admin groups, and verify that they are supposed to be there.  Then, reset the passwords for those accounts and ensure you follow good password practices.  

Beyond that, also make sure you've got good, up to date anti-virus installed on the server, and run it.
If accounts are being created and you are sure it was no other admin, your server is compromised, period. Restore it from a clean backup. I would not trust anything else.
The server sounds compromised; probably one or more of your clients aswell. I will assume that you have a up-to-date anti-virus and firewall enabled on the server; which means that the backdoor or whatever came via one of the clients.

Save data on the server, scan it offline, reinstall from scratch. keep all clients offline. Then offline-scan your clients to determine the source and then connect clients and server to the network.

There is no need to reinstall, fix, scan before you know what happend and how; but to determine this keep the system offline (not on net) to prevent further damage to systems and data.
Are you the only person maintaining this server? Some of my clients install application servers on their SBS and the application support people usually get the password out of them and start creating user accounts etc. Maybe you should check with your client who has access to the password or at the very least change it regularly.
Regarding not being able to send email to certain domains. This could mean somehow the mail server has been blacklisted. This happens when spam gets sent from the server to one of many many trap-mailboxes out there or when enough people have been reported as spamming from the mail server. If you are sure nobody is spamming from your mail server you can go here to test if your mail server has been blacklisted. Just put in your client's real ip address and hit enter. If you're not sure what the ip is log on to the server's console and visit this website. If you are blacklisted the good people who ran the test for you also offer to help getting you unlisted on their website.
Let me know if this helps. :)
Most likely these issues are not corelated. To gain front end access to a machine, they have to go through firewalls and hack kerberos authentication and do this while not being detected by a AV program.

To do this is near impossible for a master hacker. Kerberos is a very strong authentication protocol in comparison to LMhash and NTLMhash. Capitalization matters, Kerberos can use special charactors and unlike NTLMhas and LMhash, a hacker has to hack each individual charactor of the password.

The only effective means to do this is to put a keylogger and trojan horse on your computer to monitor your keystrokes. With an up-to-date AV program, that's near impossible. To brute force hack out the password is a waste of time for a spammer. They have more "productive" means to hose you up.
Though I do agree you might be blacklisted, and that is why you are not getting mails in<->out as you should, I don't think your operational problems are related. Most likely this blacklist comes from a comprimised open relay agent for mail, (A spammer's gold mine).
A while back I deleted Users in ADUC that I felt don't exist. One of them was a built in account for Terminal services. The username was called TSinternetuser.  This account was needed for terminal services. What a mistake that was. So, be careful on what you delete as far as usernames and passwords. Problems with email and operations could easily come from deleting the built in "User" accounts for services, like terminal services. If you remember what user accounts you already delted, you might want to post those here.

NOTE: (One of these below issues is where I think your problems lie)
Another issue that could cause both problems is intermittent communications on the NIC. There are things that can cause intermittent comms. One is SP1 on the machine. If you are running SP1, then you should consider upgrading to SP2. A second thing that causes intermittent comms on the server is the preferred DNS server list. Make sure you only have your "internal" DNS servers listed as your preferred DNS server. DO NOT, use the gateway/router as a preferred DNS server. Gateway/routers don't hold the SRV records you need to communicate with AD.
Now, on to checking for malware and help fix your operational problems:

Well, lets start by checking for trojans and keyloggers and determine if you had a "strong" password for the Mail administrator/domain admin. That will nix the possibility that you had a brute force attack on your Server. To do so, I like to check for running processes in the background. There is a free executable program that is perfect for this. It is called Hijackthis. This lists all processes running in the background and you can paste that on a website to see how viewers in the past have rated each process. The reason I like this program so much is because it is an executable that does not interfere with your installed AV and AS programs.

Run a Hijackthis and post it on this website:
**Hijack this download site:
**Then, you can copy and past your results on this page to evaluate it automatically:

For performance:
If you are using SP1, consider updating to SP2.
Check your preferred DNS servers on the NICs. For DHCP clients go to DHCP snaping and expand that snapin until you see a folder called "Scope Options" Open that up and make sure that your Microsoft DNS servers are listed as DNS servers, (NO gateways/routers or any other nodes). On the router, make sure the list of DNS servers is your DNS server. On Fixed IP NICs, go to Network connection>>Properties>>TCP/IP>>properties>>and remove any preferred or alternate DNS servers that are not your DNS servers.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now