Solved

Active Directory Users Regenerate

Posted on 2011-09-03
10
630 Views
Last Modified: 2012-12-16
I have a Windows 2003 server. It is a domain controller and Exchange 2003 host. I believe the security of this box has been compromised but I cannot find the root cause. Virus scans are clean. The problem relates to two user accounts that I cannot keep disabled or removed. The accounts are “Guest” and “Support_#######” (where ###### is a hex string). If I rename the Guest account, a new and clean “Guest” account is automatically recreated if I reboot the server or log in via RDP. The same is true of the “Support_########” account. What is more disturbing is that both of these accounts are automatically added to the Administrators group and Remote Desktop Users group. If I disable these accounts, they re-enable themselves. I know that typically the “Support_######” account is related to Remote Assistance, but that option is not enabled on this server. I do not want Guest or Support_####### to have any admin rights and would ideally like them to just go away. Any help would be appreciated.
0
Comment
Question by:smcotton
10 Comments
 
LVL 21

Accepted Solution

by:
snusgubben earned 500 total points
ID: 36478691
Open "msconfig" and look for suspicious entries in the Start Up (tab).

Try Malware Bytes and see if that finds any malware on the host.

http://www.malwarebytes.org/
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 36478883
Could these accounts be set through a GPO ?
0
 

Author Comment

by:smcotton
ID: 36478925
Nothing unusual in msconfig, or registry Run, or Startup folder, or scheduled events. Malwarebytes found three objects and removed them:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
c:\program files\getdislike\uninstall.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\mmso.dll (Trojan.FakeMS.Gen) -> Quarantined and deleted successfully.

Problem still remains. New scan come up clean.

Not sure where in the GPO I would look for setting to set up accounts like this. But it’s important to note that the renamed Guest account is still considered a system account while the guest account that gets recreated each time is easily deleted.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 36479696
It sounds like you're dealing with a rootkit (http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_2245-Anti-rootkit-software.html).

You should ask a moderator to add your question to the anti-virus zone.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 26

Expert Comment

by:MidnightOne
ID: 36480734
I would HIGHLY recommend you use an independent (read: Never connected to that network) system to grab Kaspersky Rescue Disk.

Once the ISO is burned to a CD:
Boot from this CD
Let is auto-configure the network card
Update its definitions
Scan server

Its going to take a couple of hours to do this, so patience is a requirement. Once done, scan it again to make sure.
0
 

Author Comment

by:smcotton
ID: 36497818
I have isolated the server in question to prevent communication (except smtp and imap). I need to take the steps mentioned above but this is a valued production server so I need to do this off hours. Will post again here shortly.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 36501516
If you do a clean up on a compromised server, I would never "trust" it again. I would create a new server and move the roles (ie. a dedicated DC and a dedicated Exchange). Then re-install the old one.

Also an important step would be to find out why the server was compromised in the first place.
0
 

Author Comment

by:smcotton
ID: 36517112
After a thorough review of the registry, I found entries which clearly activated the background processes which extended the compromise. I removed the entries along with several exe's, residual directories and questionable profiles. Several reboots later and I have no unwanted activity. Will monitor the server for a period to verify the threat is dead.
0
 
LVL 26

Expert Comment

by:Pber
ID: 38695494
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now