Change NT Authority/System password?

[deisehun]

I have a Windows 2003 Terminal Server and a hacker logged in by what appears to be the NT Authority/System account.

Does anyone know how I can change this?

I cant find it in the Active Directory.

Thanks..

 

[WhoKilledKenny]

I would go through this article and make sure you are putting best practices to use for terminal services.

http://www.windowsecurity.com/articles/Windows_Terminal_Services.html

 

[deisehun]

Thanks for that - I have all the best practice suggestions enabled already.

Do you know where I can find the NT Authority/System user?

 

[WhoKilledKenny]

NT Authority/System is a built in account that you are unable to administer. As far as I know you can not change the password and from what I have read on the web, you would not want to. If you believe the account was exploited, would you please post the error or any information on why you believe it to be the problem. I have seen postings regarding worm exploits causing system crashes.
You believe TS was hacked using that account, what info made you come to that conclusion?

Thanks...

 

[deisehun]

Heres the entry in the event log that would correspond to the hacking:

Success Audit,05/06/2007,10:28:38,Security,Logon/Logoff ,538,ANONYMOUS LOGON,Servername
Success Audit,05/06/2007,10:28:29,Security,Logon/Logoff ,540,ANONYMOUS LOGON,Servername
Success Audit,05/06/2007,10:27:51,Security,Logon/Logoff ,540,IUSR_Servername,Servername
Success Audit,05/06/2007,10:27:51,Security,Logon/Logoff ,552,NETWORK SERVICE,Servername


Cheers..

 

[porkchopexpress]

They look like IIS usernames to me, they are managed and changed by windows.

You can find out what the password.

Option Explicit 
Dim objIIS, strMessage 
Set objIIS = GetObject ("IIS://localhost/w3svc")
strMessage = "The metabase reports the anonymous credentials as:" _
& vbcrlf & " AnonymousUserName = " & objIIS.Get("AnonymousUserName") _
& vbcrlf & " AnonymousUserPass = " & objIIS.Get("AnonymousUserPass") _
& vbcrlf & " WAMUserName = " & objIIS.Get("WAMUserName") _
& vbcrlf & " WAMUserPass = " & objIIS.Get("WAMUserPass")
Set objIIS = Nothing 
WScript.Echo strMessage 
' END OF SCRIPT

 

[porkchopexpress]

Hmmm posted a bit quick i was saying put that in a vb file and it will extract the passwords, i'm pretty sure it's not recommended that you change it though but it is possible.

http://www.howtonetworking.com/Internet/resetpassword.htm

 

[WhoKilledKenny]

Those look like normal audits to me, as far as a web server. More info please...
Are these logs from a web server?
Are they from a DC?
Is your web server a DC (domain controller)?
Internal or External Web server or both?
Other than the logs, what would give you the impression that the server has been hacked? Has the web page been owned? User accounts created/Passwords changed? System Crashing?

 

[deisehun]

Thanks for the replies:

These are from a Terminal Server
It is not a DC
DC is not a Web Server

I think it was hacked as someone logged into the UPS Web interface (private address within the LAN) and in the UPS logs, someone from the TS in question shut down some of the servers.

I also have the following entry on the DC:

The process shutdown.exe has initiated the shutdown of computer DCNAME on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found
Reason Code: 0xffffffff
Shutdown Type: shutdown
Comment:

------

Under IIS though, I dont allow anonymous access...