-3

Possible Duplicate:
My server's been hacked EMERGENCY

Windows 2000 Server.

I believe I have a rootkit. But, nothing will remove it. I've tried everything. Even tools that are merely for scanning fail or bsod the computer.

Since nothing works, I wanted to try and do it manually.

edit: This is a Windows 2000 Server Forest Root. I cannot rebuild it without blowing up the domain.

Community
  • 1
johnny
  • 2,268
  • 9
  • 35
  • 54
  • 1
    Can you really be certain about the integrity of your server after such a compromise? It may be wiser to rebuild. – brent May 14 '12 at 14:48
  • 3
    You reinstall from scratch or from a known clean image. – Shadok May 14 '12 at 14:49
  • I can't rebuild. It's my forest root server. Reinstall is not an option. I have tried every rootkit tool and or scanner out there. Things that do show processes, etc. do not yield anything useful. I've done all the things you an imagine. – johnny May 14 '12 at 14:50
  • 7
    You will never be able to trust this system again - reinstall and recover from know good backups is the only real solution. – user9517 May 14 '12 at 14:59
  • 1
    @johny Not only *can* you rebuild a Forest Root Server, you should have a contingency plan (DRP, BCP) sitting around with directions of how to do so. – Chris S May 14 '12 at 15:04
  • 2
    If you "can't rebuild" then what would you do if your server died? You have a contingency for that right? You know you can create a new DC in that domain and transfer all the roles as part of removing the suspect one, right? – Rob Moir May 14 '12 at 15:36

1 Answers1

7

I'd strongly advise to rebuild your server.

  • if the server has been root-compromised how can you assure integrity of all of its parts even if you THINK you've removed the compromised part ?
  • it's easier and saves the time and hassle - rebuild and restore from backups
milosgajdos
  • 1,808
  • 2
  • 21
  • 29
  • I cannot rebuild. It is a forest root. – johnny May 14 '12 at 14:53
  • 5
    @johnny set up a new server, dcpromo it and transfer the FSMOs. Also, make sure to use a *supported* version of Windows Server - Windows 2000 had its end of support 2 years ago. – the-wabbit May 14 '12 at 15:01