darkbluegr
asked on
Restoring SBS 2003 server after hack
hi, I temporarily put my SBS2003 on the public internet (configured my lan connection with public IP) and 3 hours later my domain admin password was changed.
fortunately all my data in D: drive (exchange store) and my user profiles (also in D) are intact.
I noticed however several new .dll and .txt files on the root of C: drive.
How can I recover my domain admin pass? or can I restore it to the previous one?
I can still log on locally with a limited -privilege user. if I run "net user administrator" on the command prompt, I see that the password was last changed 3 hours ago (and it wasn't us)
I have physical access to the machine and ideally i'd like to revert to our previous password.
Thank you.
fortunately all my data in D: drive (exchange store) and my user profiles (also in D) are intact.
I noticed however several new .dll and .txt files on the root of C: drive.
How can I recover my domain admin pass? or can I restore it to the previous one?
I can still log on locally with a limited -privilege user. if I run "net user administrator" on the command prompt, I see that the password was last changed 3 hours ago (and it wasn't us)
I have physical access to the machine and ideally i'd like to revert to our previous password.
Thank you.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks - i only have a limited domain user account that I can use, and it doesn't let me restore.
I can't login to the directory recovery mode unfortunately, as I do not know the new domain admin password. I assume the local admin password was changed when the intruder changed the domain admin password? none of my 3 passwords works it seems..
I can't login to the directory recovery mode unfortunately, as I do not know the new domain admin password. I assume the local admin password was changed when the intruder changed the domain admin password? none of my 3 passwords works it seems..
The directory restore password is likely the password used during the original install.
The resetting is a manual process.
http://support.microsoft.com/kb/322672
http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm
http://www.geeksaresexy.net/2009/03/12/how-to-reset-your-lost-2003-active-directory-admin-password/
The resetting is a manual process.
http://support.microsoft.com/kb/322672
http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm
http://www.geeksaresexy.net/2009/03/12/how-to-reset-your-lost-2003-active-directory-admin-password/
ASKER
Thanks, I remembered another admin-level account that i had and i used it successfully to change my original "Administrator" domain-admin account.
Any suggestions for a thorough scan of backdoors/trojans while I am preparing a new box from scratch? should I try trend micro's scanner, any other recommendations?
Thank you
Any suggestions for a thorough scan of backdoors/trojans while I am preparing a new box from scratch? should I try trend micro's scanner, any other recommendations?
Thank you
Younghv has several articles on anti-virus tactics.
https://www.experts-exchange.com/Digital_Living/Software/A_1958-MALWARE-An-Ounce-of-Prevention.html
https://www.experts-exchange.com/Software/Internet_Email/Anti_Spyware/A_5124-Stop-the-Bleeding-First-Aid-for-Malware.html
You should disable the administrator account.
You should limit an administrator from being able to use terminal services.
Your compromise may have come through several means, exchange if not update, iis, etc.
Make sure you do not expose the system directly to the outside.
https://www.experts-exchange.com/Digital_Living/Software/A_1958-MALWARE-An-Ounce-of-Prevention.html
https://www.experts-exchange.com/Software/Internet_Email/Anti_Spyware/A_5124-Stop-the-Bleeding-First-Aid-for-Malware.html
You should disable the administrator account.
You should limit an administrator from being able to use terminal services.
Your compromise may have come through several means, exchange if not update, iis, etc.
Make sure you do not expose the system directly to the outside.
ASKER
ok i have the server back behind my sonicwall, with only essential services allowed.
seems i have a variant of the "darkshell" exploit. i am running trendmicro housecall as a first step and then I will also try malwarebytes and superantispyware.
i also deleted three users that i noticed were created:
systemd , member of Administrators
systeme, member of Administrators
systems, member of Administrators
will report back soon..
seems i have a variant of the "darkshell" exploit. i am running trendmicro housecall as a first step and then I will also try malwarebytes and superantispyware.
i also deleted three users that i noticed were created:
systemd , member of Administrators
systeme, member of Administrators
systems, member of Administrators
will report back soon..
You should consider for the duration applying a restriction on the SBS from the sonicwall to prevent back door, tunnels out just in case. Add loging to see if some of the tools miss anything.
ASKER
thanks - will do!
i also kept a zip of the infected files, should i upload at a web "scanning" service for investigation/reference for other users?
i also kept a zip of the infected files, should i upload at a web "scanning" service for investigation/reference for other users?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you , I do plan to reinstall, but meanwhile my email needs to run while I'm preparing the migration. Is it a good idea to setup a brand new machine and reinstall sbs 2003 from scratch? Will I be able to migrate my users, mails, and settings, between servers? Any tips how to approach this project?
Regards
Regards
Doing what you suggest could render the entire environment inoperable.
Before suggesting such an approach, you should always explore whether the asker actually has backups and the types of backups to make sure that the environment can be reconstituted to functional level as it existed before.
Or the asker may wind up having to reinstall all workstations, etc.
Before suggesting such an approach, you should always explore whether the asker actually has backups and the types of backups to make sure that the environment can be reconstituted to functional level as it existed before.
Or the asker may wind up having to reinstall all workstations, etc.
ASKER
I have backup of my data drive (user profiles and mail store), but not the system state as it turns out..
Maybe I could add a secondary dc and wait for replication, and then transf fsmo roles to secondary, and rebuild the primary (hacked) one?
Ps. As suspected housecall by trendmicro found 6 infec
Maybe I could add a secondary dc and wait for replication, and then transf fsmo roles to secondary, and rebuild the primary (hacked) one?
Ps. As suspected housecall by trendmicro found 6 infec
You have to also make sure you have a correct backup setup for exchange. File system level backup will not cover the exchange restore.
Sbs can not exist without being the master for most of the fsmo.
Sbs can not exist without being the master for most of the fsmo.
You can use this to reset your password even domain admin password.
https://www.experts-exchange.com/OS/Microsoft_Operating_Systems/A_9832-Recover-lost-administrator-password-in-windows-2008.html
https://www.experts-exchange.com/OS/Microsoft_Operating_Systems/A_9832-Recover-lost-administrator-password-in-windows-2008.html
ASKER
so in order to recap, the consensus is that I should make sure my backup of the exchange database is OK and then try to rebuild my SBS on a new machine?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Once I'm in and the files are restored, I will try to keep only the essential data files and copy them to a new , clean box. thanks!