Windows Server 2008 compromised, how to restore?

Question

Server seems like modified a lot. I cannot start/run/do many tasks like Task Manager, Server Backup, commandline password change, etc.

User names, full names don't match with their descriptions. Now Administrator may not be the administrator.

I cannot enable/disable accounts.

Server is being used as bruteforce attacker: DuBrute was running.

I tried to reboot, SAM init error occured & BSOD appeared. I could recover SAM file from older copy.

Now I cannot do many things. It looks like the server has been hacked a week ago - file creation dates say-

I found a few registry files like this one: HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin

Can I clear that mess or I have to restore from backup?

I wouldn't bother trying to clean it up. Wipe it and start from scratch. — joeqwerty, Aug 29 '13 at 14:31
+1 to nuking it from orbit. It's the only way to be sure, of course. — Nathan C, Aug 29 '13 at 14:39

score 1 · Accepted Answer · answered Aug 29 '13 at 14:31

1

It would probably be best to restore from backup provided you can do a full restore including all the system state. It would actually be better to rebuild it completely as a new system and restore the data you need. You would really need to find out how your system was compromised in order to prevent it from happening again or to other systems in your network.

answered Aug 29 '13 at 14:31

Rex

7,815
3
28
44

If there is DuBrute running, the reason is dictionary attack; the cure is to disable generic accounts & to use strong random password. – Nime Cloud Aug 29 '13 at 14:59

score 1 · Answer 2 · answered Aug 29 '13 at 14:31

1

Restore from backup. If this is an Domain Controller you need to scan your other DCs and may want to force a password change on all accounts.

answered Aug 29 '13 at 14:31

TheFiddlerWins

2,973
1
14
22

Windows Server 2008 compromised, how to restore?

2 Answers2