Server has been hacked, need to delete hidden user account

Discussion in 'Server Security' started by Øyvind Isaksen, May 25, 2007.

  1. I need urgent help! My windows 2003 server has been hacked. When I was
    defragmentating my disks some files could not be defragmentated. I
    discovered that the reason is because these files is created on a
    userprofile called "superwayne$" at this location C:\Documents and
    Settings\superwayne$. If I open this address in Explorer, I see folders like
    "desktop", "Favorites", "Local Settings", "superwaynes$'s Documents" and so
    on. There is alot of hacked software, movies and other stuff in these
    folders.
    If I open Active Directory Users and Computers, the user "superwaynes$" is
    not there. In Server Management/Users I cant find this either. It seems
    like the user "superwaynes$" has been created outside my domain or
    something. How can I find and delete this user profile (not only the files
    in C:\Documents and Settings\superwayne$)? How could this happen, what can I
    do prevent this in future? My server has only licensed software (no hacks),
    only I got access to it?
     
    Øyvind Isaksen, May 25, 2007
    #1
    1. Advertisements

  2. Øyvind Isaksen

    S. Pidgorny Guest

    Maybe there is no user and Superwayne just used Documents and Settings
    folder to create a share. Look at the owner of the files to see who has
    created those - you'll get idea what accounts were compromised.

    At this stage you can start monitoring Superwayne's activity and perhaps
    even catch the guy (or gal) - useful experience but not very rewarding in
    most cases. Another alternative is cleaning out your system - most likely it
    is infected with a trojan as well.
     
    S. Pidgorny, May 25, 2007
    #2
    1. Advertisements

  3. If I open "C:\Documents and Settings\superwayne$" and look at the owner of
    the files it is "Administrator". Does this mean that the "hacker" has used
    my administrator account? Is it smart to disable this account and make a
    new administrator account (example called "Admin" with a new password)? Is
    it ok to delete (from Command / cmd.exe) the folder "C:\Documents and
    Settings\superwayne$" with all content?
     
    Øyvind Isaksen, May 25, 2007
    #3
  4. Øyvind Isaksen

    S. Pidgorny Guest

    It is okay to delete the rubbish.
    Create a new administrative account; change password for existing, and alert
    on every logon attempt using that account.
    The danjer is - if you have a trojan that runs as system, the intruder will
    be aware f your actions, and control new account as well.
     
    S. Pidgorny, May 25, 2007
    #4
  5. Thank you! One more question: What is the best way to remove trojans? Any
    recommended software for this?
     
    Øyvind Isaksen, May 25, 2007
    #5
  6. Øyvind Isaksen

    Al Dunbar Guest

    Unfortunately, leaving the trojan horses outside of the walls is your best
    defence, unfortunately it is a bit too late for this now.

    But, further to Svyatoslav's suggestion, I would recommend creating a set of
    domain accounts and adding them to the "administrators" group on the server.
    The actual administrator account should be:

    a) renamed;
    b) have its password set;
    c) never be used except in the direst circumstances.

    All server admin should be done using the accounts I suggested - that way no
    one individual need know the password to the administrator account. This
    provides for much more accountability and manageability in the event of a
    rogue administrator. All you need do to cut of the person's access is to
    disable or delete his personal administrator account, and not set the
    administrator password, which, in some cases you would need to convey to the
    other users of that account.

    /Al
     
    Al Dunbar, May 26, 2007
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.