RE: w2k server compromised

My 2 cents,

Because I am always paranoid:

If this machine has been compromised "acting strangely", the possibility exists that:

1. All of your usernames & passwords have been captured (via Lopht Crack) and this information is thus suspect.
2. A rouge user has been injected.

Perhaps, exporting the user list, checking it against a known good list of users, then resetting all passwords may be a better course of action here: ***SNIP*** "You could use ADMT v2 to migrate from the infected domain into a clean domain, and it does migrate passwords." ***SNIP**

Sam

-----Original Message-----
From: Dan Uscatu [mailto:duscatu@lunatech.ro] Sent: Thursday, January 23, 2003 3:17 AM To: focus-ms@securityfocus.com
Subject: w2k server compromised

hey all

i just found one of the w2k servers to be infected and acting very strangely.
unfortunately it is a domain controller and it has all the users/computers lists.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

how can i export these before reinstall in order to keep the exact same configuration (everything except passwords of course) ? i suppose this could be usefull to be done on a regular basis too...

TIA Received on Fri Jan 24 16:24:02 2003