I need urgent help! My windows 2003 server has been hacked. When I was defragmentating my disks some files could not be defragmentated. I discovered that the reason is because these files is created on a userprofile called "superwayne$" at this location C:\Documents and Settings\superwayne$. If I open this address in Explorer, I see folders like "desktop", "Favorites", "Local Settings", "superwaynes$'s Documents" and so on. There is alot of hacked software, movies and other stuff in these folders. If I open Active Directory Users and Computers, the user "superwaynes$" is not there. In Server Management/Users I cant find this either. It seems like the user "superwaynes$" has been created outside my domain or something. How can I find and delete this user profile (not only the files in C:\Documents and Settings\superwayne$)? How could this happen, what can I do prevent this in future? My server has only licensed software (no hacks), only I got access to it?
Maybe there is no user and Superwayne just used Documents and Settings folder to create a share. Look at the owner of the files to see who has created those - you'll get idea what accounts were compromised. At this stage you can start monitoring Superwayne's activity and perhaps even catch the guy (or gal) - useful experience but not very rewarding in most cases. Another alternative is cleaning out your system - most likely it is infected with a trojan as well.
If I open "C:\Documents and Settings\superwayne$" and look at the owner of the files it is "Administrator". Does this mean that the "hacker" has used my administrator account? Is it smart to disable this account and make a new administrator account (example called "Admin" with a new password)? Is it ok to delete (from Command / cmd.exe) the folder "C:\Documents and Settings\superwayne$" with all content?
It is okay to delete the rubbish. Create a new administrative account; change password for existing, and alert on every logon attempt using that account. The danjer is - if you have a trojan that runs as system, the intruder will be aware f your actions, and control new account as well.
Thank you! One more question: What is the best way to remove trojans? Any recommended software for this?
Unfortunately, leaving the trojan horses outside of the walls is your best defence, unfortunately it is a bit too late for this now. But, further to Svyatoslav's suggestion, I would recommend creating a set of domain accounts and adding them to the "administrators" group on the server. The actual administrator account should be: a) renamed; b) have its password set; c) never be used except in the direst circumstances. All server admin should be done using the accounts I suggested - that way no one individual need know the password to the administrator account. This provides for much more accountability and manageability in the event of a rogue administrator. All you need do to cut of the person's access is to disable or delete his personal administrator account, and not set the administrator password, which, in some cases you would need to convey to the other users of that account. /Al
