Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Active Directory hacked

Status
Not open for further replies.
ld5000

ld5000

Technical User
Jun 2, 2003
4
CA
An hacker entered on our Windows 2000 server this weekend.

The active directory still intact but the administrator user have no access privilege and it's the same for all groups. So, we're unable retake full possession of our server.

I hope that someone will help us.

Thank's,

P.s. Sorry for my english, I'm french canadian.
 
Sort by date Sort by votes
Well I do understand you well, im french canadian also ;P

Did you have any backup of your active directory while it was in "good" state ?

NOTE: AD is also included in the "Backup System State" option.

And maybe you could try to "crack" with a kind of brute force password your password. If the hacker enter in your system, it was because of a breach, maybe the breach is still there ...

But one sure thing, that not gonna be easy without restoring backup ...

Good luck Canadian bro!

- Security is a never ending job.
 
Upvote 0 Downvote
We loss the privilege to access the backup system
 
Upvote 0 Downvote
Don't suppose you have a FULL system backup? If you've got a modern backup system (maybe its just the HP ones though) you can simply slap your tape in the drive and hold down the "one-button-disaster-recovery" button on the drive whilst its booting. Its will trash what you already have (I think - you should check it first) and reload everything from the tape.

Good Luck

Steve Hewitt
 
Upvote 0 Downvote
try to reset the administrator password with the boot disk utility? (linux based) works VERY WELL
 
Upvote 0 Downvote
Yeah, an "image kind" of backup would restore everything, without needing the backup operator right. And no, it not only HP who got that options, but most up to date backup software solution (also called disaster recovery option).

Forget about the boot disk utility, it dont work for domain password, because they are not store on the local computer. And on the Domain Controler, they are not store on the SAM.

I will more go with the first link given up there. But if your machine as been securized, patched and well tune, the solution will not work. (But it should not be your case, if you have been hacked). So it can work.

A little question, do you have the right to install software on the domain controler ?


- Security is a never ending job.
 
Upvote 0 Downvote
First, thank's to all of that try to help us.

Second, we did'nt have a backup of the active directory. We only take a backup of out data.

Third, we analysed the log that the hacker do before cleaning all privilege and he finished by clean is own privilege. So no one have access like a full administrator on the server. If he realy do it, we can try to hack our server like he do it.

Fourth, we have a technician that we'll past all night to give us the access to our data. The problem is that is not sure to recover all, specialy all the exchange account.

Five, I'm unable to understand how a server can run without have any administrator privilege.

Thank's again for all your effort, I'll transfer all of yous answers to our technical support.
 
Upvote 0 Downvote
Strike 2 because I made some mistake that could confuse my previous answer...
_____

First, thank's to all of that try to help us.

Second, we did'nt have a backup of the active directory. We only take a backup of our data.

Third, we analysed the log that the hacker do before cleaning all privilege and he finished by clean is own privilege. So no one have access like a full administrator on the server. If he really do it, we can't try to hack our server like he do it.

Fourth, we have a technician that we'll past all night to give us the access to our data. The problem is that is not sure to recover all, specialy all the exchange account.

Five, I'm unable to understand how a server can run without have any administrator privilege.

Thank's again for all your effort, I'll transfer all of yous answers to our technical support.
 
Upvote 0 Downvote
No need to tell, next time backup everything! (You dont even have backed up the system state ?)

Its not impossible, but why a Hacker would remove all is privilege ? He probably creat a new account, or rename the administrator account as guest and guest as admin :p Well, lot a possibilities. I strongly recommanded you Reinstall on srcatch your server. Even if yout technician bring it back, you have no idea what the hacker did to it.

And never forget that logs in a Windows environment are easy to erase, and easy to create while it havent been securized (He can have create some kind of fake logs to...) Keep that in mind! So plz, reinstall everything from new!

For your Exchange data, I wouldn't care to much about it. All the Exchange data are only on 2 files. If you can have those 2 file, you will be able to "rebuilt" all mailboxes (But maybe youll have to relink them manually with all users). Those file are the *.edb and *.stm Copy those somewhere on your network and youll be ok.

And for your last question, hummm you still have the "System" account that can run service. So that not impossible for a server to run without admin. But not to be managed!!!

Hope it helped you!

Laterz.






- Security is a never ending job.
 
Upvote 0 Downvote
I just had a similar experience some days ago. And i was using the tool form:

From there go to BootDisk, then download:
bd030426.zip (1.4MB) - Bootdisk image, date 030426
rawwrite2.zip (10K) - DOS Program to write floppy images.

Boot with the floppy, then follow the screen instructions. From this little tool you can reset your accounts, and your security environment. I found it very very useful.
And, read all those screen instructions. Following them you will succeed.

Gia Betiu
gia@almondeyes.net
Computer Eng. CNE 4, CNE 5, MCSE Win2K
new: (just started)
 
Upvote 0 Downvote
No it wont help. We are talking here about a Windows 2000 Server enviroment in a DOMAIN.

Here its from your link:

This is a utility to (re)set the password of any user that has a valid (local) account on your NT system, by modifying the crypted password in the registrys SAM file.

See the "(local)". A server that have AD on it dont have local account. Im sorry to tell you but forget this solution. Just like I told before, the password are NOT store on SAM file.

I just dont want you to lose some precious time... (But that would have been a good solution for a server in another context)

Later!

- Security is a never ending job.
 
Upvote 0 Downvote
Maybe not, Laforce, but you will gain administrative control to your server. And did you ask yourself what account is used when you are booting the machine in Restore AD mode?
Is about a SAM that will still exist.


Gia Betiu
gia@almondeyes.net
Computer Eng. CNE 4, CNE 5, MCSE Win2K
new: (just started)
 
Upvote 0 Downvote
I covered this point in my posting, no need for fighting gentlemen, just read above.

Matt
 
Upvote 0 Downvote
Yeah, thats right guyz.

But thats why I also used the "while it havent been securized" expression.

;P

Good luck with all that. think you have 2-3 working solution. But as I told you, if you get it "back" réinstall from sratch. You have no idea what the hacker did to your system.

Good luck!

- Security is a never ending job.
 
Upvote 0 Downvote
really late but better late then never. :) Tools like ERDCommander from sysinternals will sort out the password problem. But I have to agree you would have to be very bored to know every policy, permission and object on your network. So the answer is ERDisk for AD
Merci
Salut!
 
Upvote 0 Downvote
This might help but it`s worth a shot.

Try using the cia commander bootdisk


You can access the ntfs partition at the root and you should be able to change your logon credentials and also access the whole disk.

It might work but it`s worth a try.

hope it helps
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

julis2103
  • Locked
  • Question
Active Directory
Replies
0
Views
80
julis2103
julis2103
goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
313
goombawaho
goombawaho
geneg28
  • Locked
  • Question
Active Directory and Linux Servers
Replies
0
Views
76
geneg28
geneg28
axilleas
  • Locked
  • Question
Windows 2012 R2 Active directory problem after applying GPO
Replies
7
Views
135
technome
technome
mkrausnick
  • Locked
  • Question
Can't write to folder even though Active Directory effective permissions shows full control
Replies
1
Views
87
mkrausnick
mkrausnick

Part and Inventory Search

Sponsor

Back
Top