Solved

Server login no longer works, workstations asking to verify credentials.

Posted on 2008-10-27
11
425 Views
Last Modified: 2010-04-20
We have about seven computers that access their data from our central server. They all use and save data directly to the server hard drive. The server is just a dell PC running windows server 2003. Last week One comp couldn't connect to the domain so I logged into the server to troubleshoot. First off i noticed some icons on the desk top called Mail Bomber along with other supporting files. I went to get Windows defender just to run a sweep and had to restart computer. After restarting I could no longer log in with my password, I still cannot today. Most of the workstations can still access their files from the server, and I can log in as Admin from a workstation and look at the server's files. And now some of the workstations are asking to verify credentials "lock and unlock the computer" I forget the whole message. I was able to get in to the server through safe mode but that's it. 2 workstations are using the same login and 2 others share the same Admin login that i use for the server. Also several Shorcuts on the workstations have had their target changed to random folders. I don't know what to do.
0
Comment
Question by:Jasnall
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 7

Expert Comment

by:Mikealcl
ID: 22815837
Did you check the domain rolls?  Would be a domain problem and not a client/server authentication problem.

Did you have anyone leave lately that would do something evil like this?  Sounds like you have end users logging in with admin passwords?
0
 
LVL 6

Expert Comment

by:Brainstormer
ID: 22816150
sounds like you got hacked and they changed the login passwords on you.
0
 

Author Comment

by:Jasnall
ID: 22816215
Mike, Yes i have end user logging in with admin passwords, I did not set this network up but am working to get people off the admin login. And I cant check any domain rolls as far as i know because i cant log into the server.
Brain, my gut is telling me the same thing. The server has Zero anti virus/spyware software and is only connected to a simple linksys router.
0
Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

 
LVL 6

Expert Comment

by:Brainstormer
ID: 22816636
0
 
LVL 6

Expert Comment

by:Brainstormer
ID: 22816648
0
 
LVL 41

Expert Comment

by:graye
ID: 22816869
It's fairly obvious that you've got an infection of some sort.
I'd strongly recommend that you disconnect that server from the network and get some professional help.   This is not a "do it yourself" fix....this is a job for someone who has experience in fixing infected PCs.
0
 
LVL 6

Expert Comment

by:Brainstormer
ID: 22816967
graye, I think the question author is the professional in this case based on his answers so far. It is correct to say though that once you recover the data it is recommended a full rebuild of the server/domain because it would be very difficult to undo the security holes.
0
 
LVL 7

Expert Comment

by:Mikealcl
ID: 22817797
I disagree on the rebuild for this one.  Sounds like you have a small environment where security is not a legal concern.  

It sounds like you have someone doing something they shouldn't.  Reset the accounts, recover the data, remove  accounts.  Audit your AD for rogue accounts, check the services/processes and autostart registry keys, and watch your event log for authentication security hits.  Should be fairly easy to do with the small number of users.  When your comfortable create new accounts for the end users with the proper permission levels.

0
 

Author Comment

by:Jasnall
ID: 22817843
A agree on the infection and was leaning toward a rebuild, but will try what Mikealcl recommended. Like I said I was able to get in and back up the important data through safe mode. My biggest problem now is just logging in, I guess i'll have to do the password recover linked above first? Then I need to go through and clean up the domain users, there are so many not in use and with incorrect permissions.
0
 
LVL 6

Accepted Solution

by:
Brainstormer earned 250 total points
ID: 22821361
It is very easy to try and fix what the issue is and move on, but if you get compromised again in a few hours, days or months then it's back to the same task. You don't know how it happened, that is the first thing you need to figure out. I have been involved in compromised server scenarios, and most experts will agree you need to start from scratch after you figure out what went wrong. It is a pain to do it, but you get a chance to do it right, and implement proper security so it does not happen again.

You can read about some similar hack here: http://msmvps.com/blogs/bradley/archive/2008/06/24/so-how-did-they-break-in.aspx

Here is another hacked server similar to yours: http://groups.google.com/group/microsoft.public.windows.server.security/browse_thread/thread/2b97afc79e0406f8

Whatever you do make sure you back up first!
0
 

Author Comment

by:Jasnall
ID: 22926276
We're gonna start from scratch, it needed to be redone anyway. We never were able to fix the problem, but we got a new server and will set that up properly.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question