Windows Server 2008 compromised, how to restore?
Server seems like modified a lot. I cannot start/run/do many tasks like
Task Manager, Server Backup, commandline password change, etc.
User names, full names don't match with their descriptions. Now
Administrator may not be the administrator.
I cannot enable/disable accounts.
Server is being used as bruteforce attacker: DuBrute was running.
I tried to reboot, SAM init error occured & BSOD appeared. I could recover
SAM file from older copy.
Now I cannot do many things. It looks like the server has been hacked a
week ago - file creation dates say-
I found a few registry files like this one:
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin
Can I clear that mess or I have to restore from backup?
No comments:
Post a Comment