?
Solved

Active Directory Users Regenerate

Posted on 2011-09-03
10
Medium Priority
?
645 Views
Last Modified: 2012-12-16
I have a Windows 2003 server. It is a domain controller and Exchange 2003 host. I believe the security of this box has been compromised but I cannot find the root cause. Virus scans are clean. The problem relates to two user accounts that I cannot keep disabled or removed. The accounts are “Guest” and “Support_#######” (where ###### is a hex string). If I rename the Guest account, a new and clean “Guest” account is automatically recreated if I reboot the server or log in via RDP. The same is true of the “Support_########” account. What is more disturbing is that both of these accounts are automatically added to the Administrators group and Remote Desktop Users group. If I disable these accounts, they re-enable themselves. I know that typically the “Support_######” account is related to Remote Assistance, but that option is not enabled on this server. I do not want Guest or Support_####### to have any admin rights and would ideally like them to just go away. Any help would be appreciated.
0
Comment
Question by:smcotton
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 21

Accepted Solution

by:
snusgubben earned 2000 total points
ID: 36478691
Open "msconfig" and look for suspicious entries in the Start Up (tab).

Try Malware Bytes and see if that finds any malware on the host.

http://www.malwarebytes.org/
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 36478883
Could these accounts be set through a GPO ?
0
 

Author Comment

by:smcotton
ID: 36478925
Nothing unusual in msconfig, or registry Run, or Startup folder, or scheduled events. Malwarebytes found three objects and removed them:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
c:\program files\getdislike\uninstall.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\mmso.dll (Trojan.FakeMS.Gen) -> Quarantined and deleted successfully.

Problem still remains. New scan come up clean.

Not sure where in the GPO I would look for setting to set up accounts like this. But it’s important to note that the renamed Guest account is still considered a system account while the guest account that gets recreated each time is easily deleted.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 21

Expert Comment

by:snusgubben
ID: 36479696
It sounds like you're dealing with a rootkit (http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_2245-Anti-rootkit-software.html).

You should ask a moderator to add your question to the anti-virus zone.
0
 
LVL 26

Expert Comment

by:MidnightOne
ID: 36480734
I would HIGHLY recommend you use an independent (read: Never connected to that network) system to grab Kaspersky Rescue Disk.

Once the ISO is burned to a CD:
Boot from this CD
Let is auto-configure the network card
Update its definitions
Scan server

Its going to take a couple of hours to do this, so patience is a requirement. Once done, scan it again to make sure.
0
 

Author Comment

by:smcotton
ID: 36497818
I have isolated the server in question to prevent communication (except smtp and imap). I need to take the steps mentioned above but this is a valued production server so I need to do this off hours. Will post again here shortly.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 36501516
If you do a clean up on a compromised server, I would never "trust" it again. I would create a new server and move the roles (ie. a dedicated DC and a dedicated Exchange). Then re-install the old one.

Also an important step would be to find out why the server was compromised in the first place.
0
 

Author Comment

by:smcotton
ID: 36517112
After a thorough review of the registry, I found entries which clearly activated the background processes which extended the compromise. I removed the entries along with several exe's, residual directories and questionable profiles. Several reboots later and I have no unwanted activity. Will monitor the server for a period to verify the threat is dead.
0
 
LVL 26

Expert Comment

by:Pber
ID: 38695494
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses
Course of the Month10 days, 13 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question