Server login no longer works, workstations asking to verify credentials.
We have about seven computers that access their data from our central server. They all use and save data directly to the server hard drive. The server is just a dell PC running windows server 2003. Last week One comp couldn't connect to the domain so I logged into the server to troubleshoot. First off i noticed some icons on the desk top called Mail Bomber along with other supporting files. I went to get Windows defender just to run a sweep and had to restart computer. After restarting I could no longer log in with my password, I still cannot today. Most of the workstations can still access their files from the server, and I can log in as Admin from a workstation and look at the server's files. And now some of the workstations are asking to verify credentials "lock and unlock the computer" I forget the whole message. I was able to get in to the server through safe mode but that's it. 2 workstations are using the same login and 2 others share the same Admin login that i use for the server. Also several Shorcuts on the workstations have had their target changed to random folders. I don't know what to do.
sounds like you got hacked and they changed the login passwords on you.
ASKER
Mike, Yes i have end user logging in with admin passwords, I did not set this network up but am working to get people off the admin login. And I cant check any domain rolls as far as i know because i cant log into the server.
Brain, my gut is telling me the same thing. The server has Zero anti virus/spyware software and is only connected to a simple linksys router.
Brain, my gut is telling me the same thing. The server has Zero anti virus/spyware software and is only connected to a simple linksys router.
Here is the link: http://www.petri.co.il/reset_domain_admin_password_in_windows_2000_ad.htm
Good luck!
Good luck!
Here is for 2003 domain:
http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm
http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm
It's fairly obvious that you've got an infection of some sort.
I'd strongly recommend that you disconnect that server from the network and get some professional help. This is not a "do it yourself" fix....this is a job for someone who has experience in fixing infected PCs.
I'd strongly recommend that you disconnect that server from the network and get some professional help. This is not a "do it yourself" fix....this is a job for someone who has experience in fixing infected PCs.
graye, I think the question author is the professional in this case based on his answers so far. It is correct to say though that once you recover the data it is recommended a full rebuild of the server/domain because it would be very difficult to undo the security holes.
I disagree on the rebuild for this one. Sounds like you have a small environment where security is not a legal concern.
It sounds like you have someone doing something they shouldn't. Reset the accounts, recover the data, remove accounts. Audit your AD for rogue accounts, check the services/processes and autostart registry keys, and watch your event log for authentication security hits. Should be fairly easy to do with the small number of users. When your comfortable create new accounts for the end users with the proper permission levels.
It sounds like you have someone doing something they shouldn't. Reset the accounts, recover the data, remove accounts. Audit your AD for rogue accounts, check the services/processes and autostart registry keys, and watch your event log for authentication security hits. Should be fairly easy to do with the small number of users. When your comfortable create new accounts for the end users with the proper permission levels.
ASKER
A agree on the infection and was leaning toward a rebuild, but will try what Mikealcl recommended. Like I said I was able to get in and back up the important data through safe mode. My biggest problem now is just logging in, I guess i'll have to do the password recover linked above first? Then I need to go through and clean up the domain users, there are so many not in use and with incorrect permissions.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We're gonna start from scratch, it needed to be redone anyway. We never were able to fix the problem, but we got a new server and will set that up properly.
Did you have anyone leave lately that would do something evil like this? Sounds like you have end users logging in with admin passwords?