Server 2003 and mystery users exploit - TechRepublic
Question
September 18, 2007 at 05:59 PM
bullet-worm

Server 2003 and mystery users exploit

by bullet-worm . Updated 18 years, 8 months ago

I am running Server 2003 at a datacenter. I use Remote Desktop to access the machine.

Last week I noticed there were a few ‘new’ users in the Computer Management screen. I deleted the un-invited users (both of which had admin rights). Then yesterday I noticed one of the accounts had been re-created, with the name “admin”.

I don’t think the exploiter is actually getting into the system, as absolutely NOTHING seems to have been added during the time period. I have verified that all running processes are legit and doing exactly what I expect them to do.

The question is this: How is someone remotely adding a user to this machine?

The machine is fully patched with all Windows updates, and most of the services have been turned off (there is only about 10 left running in fact).

Is anyone familiar with this line of attack, or what needs to be done to thwart it?

Danny

This discussion is locked

All Comments