4

Just from nowhere I can't login to my Windows server 2008 machine. All the services like FTP server or webserver (which I'm actually not using, just remote desktop and FTP) are running.

Whatever credentials I try (even/especialy administrator), it always says Unknown Username or bad password. I have already tried hard turn off/on and safe mode without luck. Also I already tried type in login name as SERVER NAME\user or Workgroup\user (every case sensitive scenario), still says I have wrong login. Usually we are using remote desktop to access the machine but local access over KVM doesn't work either.

Now I'm lock out of any control or any way to do something. There's just logon screen preceding by ctrl+alt+del to login alert. Without me able to login I can't actually try to fix anything. Can't find much more on Internet except the SERVER NAME\user thing. Reinstall would be the last resort but I can't let things this way for much longer anyway. This server is vital.

If it would be any help, I think automatic Windows updates are turned off and there were no updates or newly installed software for last couple years and just few soft restarts, non of them recently.

It happened during it's runtime while all other services were still up and running, so this couldn't be just some Windows nasty screw up during boot or something. What could have possibly changed? What are my options now?

Saix
  • 111
  • 1
  • 3
  • 9

1 Answers1

5

STOP!

You could be infected with something unpleasant. My recommendation is to first bring the server down and scan it with an offline antivirus disc. I prefer to use Kaspersky'y free rescue disc that does not, as of this writing, have license restrictions on its use for commercial purposes.

If you're not infected with anything, then check your event logs for password change events and failed logins. You will be most interested in seeking the origins of those changes. However, in order to see the Event Logs, you still need to be able to log in. Let's move on to that problem:

As for your password...

Reset the password for the administrator account using the old Accessibility Tools trick. In summary:

  1. Boot into a live CD of some kind that can see and modify files on an NTFS volume. A Windows installation disk is fine because you can access a command prompt from it.
  2. Go into Windows\System32 and rename osk.exe as osk.exe.old and then rename cmd.exe to osk.exe
  3. Reboot and on the login screen click the accessibility tools icon in the lower left corner.
  4. Open the on screen keyboard. You now have a command prompt running as the system user.
  5. Reset the password of any account by using the net user command.

For full instructions, see this article or this video.

P.S. Don't forget to rename those files back to their original names, lest you 1) let this gaping security hole remain on the server, and 2) be confused when the on screen keyboard pops up when you try to launch a command prompt.

Community
  • 1
Wesley
  • 32,320
  • 9
  • 80
  • 116
  • I can't get physical access to the machine for several hours, until then I guess there's not much else to do ?! You are sure about the infection? Your solution assumes passwords were seriously changed by something unpleasant. Wouldn't be this "just" a login service error of some kind? Do you believe that wrong password alert really means wrong password or it is just generic error since the whole logon service got screwed. – Saix Apr 02 '12 at 23:58
  • 2
    I'm not *sure* about the infection, but that's a very real possibility so I personally always assume the worst in those kinds of situations. Better to mitigate those possibilities sooner rather than later. It could very well be a service locking out the account. We've all been there. =) Regardless of the cause of account being locked out, the solution presented is pretty much the only way to reset a Windows password without third-party tools. So nice of Microsoft to make a built-in backdoor for us! – Wesley Apr 03 '12 at 00:05
  • As for the error message, it isn't likely that it's indicative of the entire logon service being mucked with. It's likely that it's merely the account having been locked out and needs a password reset ala `net user` Remember: If a password reset fails, just add a totally new user as an administrator and then, when you gain access and unlock the appropriate accounts, delete the temporary admin account that you created. – Wesley Apr 03 '12 at 00:06
  • I'm going to accept your answer although I used this utility instead [link](http://pogostick.net/~pnh/ntpasswd/). There were security breach =( – Saix Apr 03 '12 at 21:32
  • 1
    @Saix there are several dissertation-length question/answer combos on this site about what to do now that you know your system was compromised - [this one](http://serverfault.com/questions/218005/my-servers-been-hacked-emergency) is considered canonical. Proceed as you see fit, based on how important future security of this machine is to you :-) – voretaq7 Apr 03 '12 at 22:39
  • Great help, but You should RENAME cmd.exe to osk.exe! (not the other way around, like suggested in step 2) ...and ofcourse backup osk.exe to osk.exe.old –  Apr 22 '13 at 08:11
  • @itayhau That doesn't make sense. Step 2 is correct as written. – Dan Apr 22 '13 at 10:33
  • @Dan It was only correct after MarkHenderson corrected it. Can't believe I got it backwards. – Wesley Apr 22 '13 at 18:07