• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 436
  • Last Modified:

Server login no longer works, workstations asking to verify credentials.

We have about seven computers that access their data from our central server. They all use and save data directly to the server hard drive. The server is just a dell PC running windows server 2003. Last week One comp couldn't connect to the domain so I logged into the server to troubleshoot. First off i noticed some icons on the desk top called Mail Bomber along with other supporting files. I went to get Windows defender just to run a sweep and had to restart computer. After restarting I could no longer log in with my password, I still cannot today. Most of the workstations can still access their files from the server, and I can log in as Admin from a workstation and look at the server's files. And now some of the workstations are asking to verify credentials "lock and unlock the computer" I forget the whole message. I was able to get in to the server through safe mode but that's it. 2 workstations are using the same login and 2 others share the same Admin login that i use for the server. Also several Shorcuts on the workstations have had their target changed to random folders. I don't know what to do.
0
Jasnall
Asked:
Jasnall
  • 5
  • 3
  • 2
  • +1
1 Solution
 
MikealclCommented:
Did you check the domain rolls?  Would be a domain problem and not a client/server authentication problem.

Did you have anyone leave lately that would do something evil like this?  Sounds like you have end users logging in with admin passwords?
0
 
BrainstormerCommented:
sounds like you got hacked and they changed the login passwords on you.
0
 
JasnallAuthor Commented:
Mike, Yes i have end user logging in with admin passwords, I did not set this network up but am working to get people off the admin login. And I cant check any domain rolls as far as i know because i cant log into the server.
Brain, my gut is telling me the same thing. The server has Zero anti virus/spyware software and is only connected to a simple linksys router.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
BrainstormerCommented:
0
 
BrainstormerCommented:
0
 
grayeCommented:
It's fairly obvious that you've got an infection of some sort.
I'd strongly recommend that you disconnect that server from the network and get some professional help.   This is not a "do it yourself" fix....this is a job for someone who has experience in fixing infected PCs.
0
 
BrainstormerCommented:
graye, I think the question author is the professional in this case based on his answers so far. It is correct to say though that once you recover the data it is recommended a full rebuild of the server/domain because it would be very difficult to undo the security holes.
0
 
MikealclCommented:
I disagree on the rebuild for this one.  Sounds like you have a small environment where security is not a legal concern.  

It sounds like you have someone doing something they shouldn't.  Reset the accounts, recover the data, remove  accounts.  Audit your AD for rogue accounts, check the services/processes and autostart registry keys, and watch your event log for authentication security hits.  Should be fairly easy to do with the small number of users.  When your comfortable create new accounts for the end users with the proper permission levels.

0
 
JasnallAuthor Commented:
A agree on the infection and was leaning toward a rebuild, but will try what Mikealcl recommended. Like I said I was able to get in and back up the important data through safe mode. My biggest problem now is just logging in, I guess i'll have to do the password recover linked above first? Then I need to go through and clean up the domain users, there are so many not in use and with incorrect permissions.
0
 
BrainstormerCommented:
It is very easy to try and fix what the issue is and move on, but if you get compromised again in a few hours, days or months then it's back to the same task. You don't know how it happened, that is the first thing you need to figure out. I have been involved in compromised server scenarios, and most experts will agree you need to start from scratch after you figure out what went wrong. It is a pain to do it, but you get a chance to do it right, and implement proper security so it does not happen again.

You can read about some similar hack here: http://msmvps.com/blogs/bradley/archive/2008/06/24/so-how-did-they-break-in.aspx

Here is another hacked server similar to yours: http://groups.google.com/group/microsoft.public.windows.server.security/browse_thread/thread/2b97afc79e0406f8

Whatever you do make sure you back up first!
0
 
JasnallAuthor Commented:
We're gonna start from scratch, it needed to be redone anyway. We never were able to fix the problem, but we got a new server and will set that up properly.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now