|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Brothers, Sam (OCTO) (Sam.Brothers_at_dc.gov)
Date: Fri Jan 24 2003 - 09:54:11 CST
My 2 cents,
Because I am always paranoid:
If this machine has been compromised "acting strangely", the possibility
exists that:
1. All of your usernames & passwords have been captured (via Lopht Crack)
and this information is thus suspect.
2. A rouge user has been injected.
Perhaps, exporting the user list, checking it against a known good list of
users, then resetting all passwords may be a better course of action here:
***SNIP*** "You could use ADMT v2 to migrate from the infected domain into a
clean domain, and it does migrate passwords." ***SNIP**
Sam
-----Original Message-----
From: Dan Uscatu [mailto:duscatu
lunatech.ro]
Sent: Thursday, January 23, 2003 3:17 AM
To: focus-mssecurityfocus.com
Subject: w2k server compromised
hey all
i just found one of the w2k servers to be infected and acting very
strangely.
unfortunately it is a domain controller and it has all the
users/computers lists.
how can i export these before reinstall in order to keep the exact same
configuration (everything except passwords of course) ?
i suppose this could be usefull to be done on a regular basis too...
TIA
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]