Solved

Server login no longer works, workstations asking to verify credentials.

Posted on 2008-10-27
11
419 Views
Last Modified: 2010-04-20
We have about seven computers that access their data from our central server. They all use and save data directly to the server hard drive. The server is just a dell PC running windows server 2003. Last week One comp couldn't connect to the domain so I logged into the server to troubleshoot. First off i noticed some icons on the desk top called Mail Bomber along with other supporting files. I went to get Windows defender just to run a sweep and had to restart computer. After restarting I could no longer log in with my password, I still cannot today. Most of the workstations can still access their files from the server, and I can log in as Admin from a workstation and look at the server's files. And now some of the workstations are asking to verify credentials "lock and unlock the computer" I forget the whole message. I was able to get in to the server through safe mode but that's it. 2 workstations are using the same login and 2 others share the same Admin login that i use for the server. Also several Shorcuts on the workstations have had their target changed to random folders. I don't know what to do.
0
Comment
Question by:Jasnall
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 7

Expert Comment

by:Mikealcl
ID: 22815837
Did you check the domain rolls?  Would be a domain problem and not a client/server authentication problem.

Did you have anyone leave lately that would do something evil like this?  Sounds like you have end users logging in with admin passwords?
0
 
LVL 6

Expert Comment

by:Brainstormer
ID: 22816150
sounds like you got hacked and they changed the login passwords on you.
0
 

Author Comment

by:Jasnall
ID: 22816215
Mike, Yes i have end user logging in with admin passwords, I did not set this network up but am working to get people off the admin login. And I cant check any domain rolls as far as i know because i cant log into the server.
Brain, my gut is telling me the same thing. The server has Zero anti virus/spyware software and is only connected to a simple linksys router.
0
 
LVL 6

Expert Comment

by:Brainstormer
ID: 22816636
0
 
LVL 6

Expert Comment

by:Brainstormer
ID: 22816648
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 41

Expert Comment

by:graye
ID: 22816869
It's fairly obvious that you've got an infection of some sort.
I'd strongly recommend that you disconnect that server from the network and get some professional help.   This is not a "do it yourself" fix....this is a job for someone who has experience in fixing infected PCs.
0
 
LVL 6

Expert Comment

by:Brainstormer
ID: 22816967
graye, I think the question author is the professional in this case based on his answers so far. It is correct to say though that once you recover the data it is recommended a full rebuild of the server/domain because it would be very difficult to undo the security holes.
0
 
LVL 7

Expert Comment

by:Mikealcl
ID: 22817797
I disagree on the rebuild for this one.  Sounds like you have a small environment where security is not a legal concern.  

It sounds like you have someone doing something they shouldn't.  Reset the accounts, recover the data, remove  accounts.  Audit your AD for rogue accounts, check the services/processes and autostart registry keys, and watch your event log for authentication security hits.  Should be fairly easy to do with the small number of users.  When your comfortable create new accounts for the end users with the proper permission levels.

0
 

Author Comment

by:Jasnall
ID: 22817843
A agree on the infection and was leaning toward a rebuild, but will try what Mikealcl recommended. Like I said I was able to get in and back up the important data through safe mode. My biggest problem now is just logging in, I guess i'll have to do the password recover linked above first? Then I need to go through and clean up the domain users, there are so many not in use and with incorrect permissions.
0
 
LVL 6

Accepted Solution

by:
Brainstormer earned 250 total points
ID: 22821361
It is very easy to try and fix what the issue is and move on, but if you get compromised again in a few hours, days or months then it's back to the same task. You don't know how it happened, that is the first thing you need to figure out. I have been involved in compromised server scenarios, and most experts will agree you need to start from scratch after you figure out what went wrong. It is a pain to do it, but you get a chance to do it right, and implement proper security so it does not happen again.

You can read about some similar hack here: http://msmvps.com/blogs/bradley/archive/2008/06/24/so-how-did-they-break-in.aspx

Here is another hacked server similar to yours: http://groups.google.com/group/microsoft.public.windows.server.security/browse_thread/thread/2b97afc79e0406f8

Whatever you do make sure you back up first!
0
 

Author Comment

by:Jasnall
ID: 22926276
We're gonna start from scratch, it needed to be redone anyway. We never were able to fix the problem, but we got a new server and will set that up properly.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found listed in my profile here: http:…
INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now