• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 652
  • Last Modified:

Active Directory Users Regenerate

I have a Windows 2003 server. It is a domain controller and Exchange 2003 host. I believe the security of this box has been compromised but I cannot find the root cause. Virus scans are clean. The problem relates to two user accounts that I cannot keep disabled or removed. The accounts are “Guest” and “Support_#######” (where ###### is a hex string). If I rename the Guest account, a new and clean “Guest” account is automatically recreated if I reboot the server or log in via RDP. The same is true of the “Support_########” account. What is more disturbing is that both of these accounts are automatically added to the Administrators group and Remote Desktop Users group. If I disable these accounts, they re-enable themselves. I know that typically the “Support_######” account is related to Remote Assistance, but that option is not enabled on this server. I do not want Guest or Support_####### to have any admin rights and would ideally like them to just go away. Any help would be appreciated.
0
smcotton
Asked:
smcotton
1 Solution
 
snusgubbenCommented:
Open "msconfig" and look for suspicious entries in the Start Up (tab).

Try Malware Bytes and see if that finds any malware on the host.

http://www.malwarebytes.org/
0
 
ArneLoviusCommented:
Could these accounts be set through a GPO ?
0
 
smcottonAuthor Commented:
Nothing unusual in msconfig, or registry Run, or Startup folder, or scheduled events. Malwarebytes found three objects and removed them:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
c:\program files\getdislike\uninstall.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\mmso.dll (Trojan.FakeMS.Gen) -> Quarantined and deleted successfully.

Problem still remains. New scan come up clean.

Not sure where in the GPO I would look for setting to set up accounts like this. But it’s important to note that the renamed Guest account is still considered a system account while the guest account that gets recreated each time is easily deleted.
0
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

 
snusgubbenCommented:
It sounds like you're dealing with a rootkit (http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_2245-Anti-rootkit-software.html).

You should ask a moderator to add your question to the anti-virus zone.
0
 
MidnightOneCommented:
I would HIGHLY recommend you use an independent (read: Never connected to that network) system to grab Kaspersky Rescue Disk.

Once the ISO is burned to a CD:
Boot from this CD
Let is auto-configure the network card
Update its definitions
Scan server

Its going to take a couple of hours to do this, so patience is a requirement. Once done, scan it again to make sure.
0
 
smcottonAuthor Commented:
I have isolated the server in question to prevent communication (except smtp and imap). I need to take the steps mentioned above but this is a valued production server so I need to do this off hours. Will post again here shortly.
0
 
snusgubbenCommented:
If you do a clean up on a compromised server, I would never "trust" it again. I would create a new server and move the roles (ie. a dedicated DC and a dedicated Exchange). Then re-install the old one.

Also an important step would be to find out why the server was compromised in the first place.
0
 
smcottonAuthor Commented:
After a thorough review of the registry, I found entries which clearly activated the background processes which extended the compromise. I removed the entries along with several exe's, residual directories and questionable profiles. Several reboots later and I have no unwanted activity. Will monitor the server for a period to verify the threat is dead.
0
 
PberSolutions ArchitectCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Take Control of Web Hosting For Your Clients

As a web developer or IT admin, successfully managing multiple client accounts can be challenging. In this webinar we will look at the tools provided by Media Temple and Plesk to make managing your clients’ hosting easier.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now