[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Active Directory Users Regenerate

Posted on 2011-09-03
10
Medium Priority
?
647 Views
Last Modified: 2012-12-16
I have a Windows 2003 server. It is a domain controller and Exchange 2003 host. I believe the security of this box has been compromised but I cannot find the root cause. Virus scans are clean. The problem relates to two user accounts that I cannot keep disabled or removed. The accounts are “Guest” and “Support_#######” (where ###### is a hex string). If I rename the Guest account, a new and clean “Guest” account is automatically recreated if I reboot the server or log in via RDP. The same is true of the “Support_########” account. What is more disturbing is that both of these accounts are automatically added to the Administrators group and Remote Desktop Users group. If I disable these accounts, they re-enable themselves. I know that typically the “Support_######” account is related to Remote Assistance, but that option is not enabled on this server. I do not want Guest or Support_####### to have any admin rights and would ideally like them to just go away. Any help would be appreciated.
0
Comment
Question by:smcotton
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 21

Accepted Solution

by:
snusgubben earned 2000 total points
ID: 36478691
Open "msconfig" and look for suspicious entries in the Start Up (tab).

Try Malware Bytes and see if that finds any malware on the host.

http://www.malwarebytes.org/
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 36478883
Could these accounts be set through a GPO ?
0
 

Author Comment

by:smcotton
ID: 36478925
Nothing unusual in msconfig, or registry Run, or Startup folder, or scheduled events. Malwarebytes found three objects and removed them:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
c:\program files\getdislike\uninstall.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\mmso.dll (Trojan.FakeMS.Gen) -> Quarantined and deleted successfully.

Problem still remains. New scan come up clean.

Not sure where in the GPO I would look for setting to set up accounts like this. But it’s important to note that the renamed Guest account is still considered a system account while the guest account that gets recreated each time is easily deleted.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 21

Expert Comment

by:snusgubben
ID: 36479696
It sounds like you're dealing with a rootkit (http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_2245-Anti-rootkit-software.html).

You should ask a moderator to add your question to the anti-virus zone.
0
 
LVL 26

Expert Comment

by:MidnightOne
ID: 36480734
I would HIGHLY recommend you use an independent (read: Never connected to that network) system to grab Kaspersky Rescue Disk.

Once the ISO is burned to a CD:
Boot from this CD
Let is auto-configure the network card
Update its definitions
Scan server

Its going to take a couple of hours to do this, so patience is a requirement. Once done, scan it again to make sure.
0
 

Author Comment

by:smcotton
ID: 36497818
I have isolated the server in question to prevent communication (except smtp and imap). I need to take the steps mentioned above but this is a valued production server so I need to do this off hours. Will post again here shortly.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 36501516
If you do a clean up on a compromised server, I would never "trust" it again. I would create a new server and move the roles (ie. a dedicated DC and a dedicated Exchange). Then re-install the old one.

Also an important step would be to find out why the server was compromised in the first place.
0
 

Author Comment

by:smcotton
ID: 36517112
After a thorough review of the registry, I found entries which clearly activated the background processes which extended the compromise. I removed the entries along with several exe's, residual directories and questionable profiles. Several reboots later and I have no unwanted activity. Will monitor the server for a period to verify the threat is dead.
0
 
LVL 26

Expert Comment

by:Pber
ID: 38695494
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question