Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Change NT Authority/System password?

Status
Not open for further replies.

deisehun

Programmer
Nov 24, 2006
182
IE
I have a Windows 2003 Terminal Server and a hacker logged in by what appears to be the NT Authority/System account.

Does anyone know how I can change this?

I cant find it in the Active Directory.

Thanks..
 
Thanks for that - I have all the best practice suggestions enabled already.

Do you know where I can find the NT Authority/System user?
 
NT Authority/System is a built in account that you are unable to administer. As far as I know you can not change the password and from what I have read on the web, you would not want to. If you believe the account was exploited, would you please post the error or any information on why you believe it to be the problem. I have seen postings regarding worm exploits causing system crashes.
You believe TS was hacked using that account, what info made you come to that conclusion?

Thanks...
 
Heres the entry in the event log that would correspond to the hacking:

Success Audit,05/06/2007,10:28:38,Security,Logon/Logoff ,538,ANONYMOUS LOGON,Servername
Success Audit,05/06/2007,10:28:29,Security,Logon/Logoff ,540,ANONYMOUS LOGON,Servername
Success Audit,05/06/2007,10:27:51,Security,Logon/Logoff ,540,IUSR_Servername,Servername
Success Audit,05/06/2007,10:27:51,Security,Logon/Logoff ,552,NETWORK SERVICE,Servername


Cheers..
 
They look like IIS usernames to me, they are managed and changed by windows.

You can find out what the password.

Code:
Option Explicit 
Dim objIIS, strMessage 
Set objIIS = GetObject ("IIS://localhost/w3svc")
strMessage = "The metabase reports the anonymous credentials as:" _
& vbcrlf & " AnonymousUserName = " & objIIS.Get("AnonymousUserName") _
& vbcrlf & " AnonymousUserPass = " & objIIS.Get("AnonymousUserPass") _
& vbcrlf & " WAMUserName = " & objIIS.Get("WAMUserName") _
& vbcrlf & " WAMUserPass = " & objIIS.Get("WAMUserPass")
Set objIIS = Nothing 
WScript.Echo strMessage 
' END OF SCRIPT
 
Those look like normal audits to me, as far as a web server. More info please...
Are these logs from a web server?
Are they from a DC?
Is your web server a DC (domain controller)?
Internal or External Web server or both?
Other than the logs, what would give you the impression that the server has been hacked? Has the web page been owned? User accounts created/Passwords changed? System Crashing?
 
Thanks for the replies:

These are from a Terminal Server
It is not a DC
DC is not a Web Server

I think it was hacked as someone logged into the UPS Web interface (private address within the LAN) and in the UPS logs, someone from the TS in question shut down some of the servers.

I also have the following entry on the DC:

The process shutdown.exe has initiated the shutdown of computer DCNAME on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found
Reason Code: 0xffffffff
Shutdown Type: shutdown
Comment:

------

Under IIS though, I dont allow anonymous access...
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top