Windows Server 2003 keeps creating random users

I have a Dell PowerEdge 2900 running Windows Server 2003, every two weeks or so, I see a new user in my user list which I did not create, it is usually a word I don't recognize and it shows up as the user in the login screen when my monitor rests.  When I log in I change it to the user that the server is assigned to, I put the password in, I go to Server Management and see the user listed under users as the first one.  It does not show me a date as to when the user was created but I know it was not there 2 weeks ago.  This keeps happening every other week or so.  So far I have had 4 instances of this.
foxhelpAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Steven HarrisPresidentCommented:
Have you tried checking your event logs when this happened?  There will be information buried in there...

What type of server is this?  Application, File, RDP, etc.

Have you installed any applications lately?  Symantec's Enterprise Backup (for example) has issues with the Command Center that created temp accounts that were not able to delete themselves due to the netapi32.dll.

What are the names of the accounts?  Do they have any symbols? (#, @, $)

What type of protection do you have on the server?  If I had to make an educated guess or bet on the outcome, I would say your server is compromised.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
foxhelpAuthor Commented:
Yes, the event log shows the user's login and logoff activity but that is all.
Application Server
No applications have been installed lately.
No symbols in the accounts.  One of them is berkeley
I have Symantec protection
Compromised as in a virus?
0
msidnamCommented:
If you think you might have a root kit you can try

RootKit Revealer Its old but may still find something.

Stinger this is a free tools from Mcafee that detects certain worms and viruses.

Wireshark Wireshark is a packet sniffer that may help to find any malicious traffic going in and/or out of your server.

As ThinkSpaceSolutions mentiones, your server may be compromised. If you are noticing strange usernames someone may be logged in as an admin using ADUC or logged on to the server directly.

Also, Security Log Event ID 624 will be Event Id to look for if a user is created.
0
CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

Steven HarrisPresidentCommented:
Beat me to it msidnam.

The overall consensus is going to be a virus of some sort.

If you want to setup a little monitoring solution for your events (such as ID 624 as msidnam mentioned), check out my Article here on EE.
0
foxhelpAuthor Commented:
Thanks, I will try those things and let you know.
0
reynoldsradissonCommented:
Try this ,

Change default RDP port, change the domain.
0
foxhelpAuthor Commented:
It was probably a virus because after I ran the scan, the user's stopped appearing.
Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.