sammen Posted October 19, 2006 Posted October 19, 2006 This concerns a domain with a few hundred workstations. This also happened earlier, during the summer holidays, and we thought that we managed to fix it, but apparently we did not.Somehow someone has been able to place a hidden ftp server on our domain controller (Server 2003) and some other machines on the network (XP and Server). The exectuble seems to be netsrv.exe but I don't know how it got there in the first place. People have uploaded some 100GB of movies and music etc before we found it.Here comes the real sad part: There was only one domain controller and there is no clean backup of it. (I have no part in that so please spare me comments on that).I'm not really sure what to ask, but perhaps this: Is it possible to migrate the whole AD to a new DC and be sure that it is clean? As far as I understand it is not possible to make a completely new DC with the same name without having to manually add all clients to the new domain. Correct?Any comment on what to think of and what to do (and in which order) to fix this is very welcome./Sam
cluberti Posted October 19, 2006 Posted October 19, 2006 If it is an Active Directory domain (either 2003 mixed-mode or 2003 native) and this isn't an SBS 2003 server, you can add a second DC, migrate the services over (DHCP, DNS, WINS if you're using it), configure the new DC as a GC server, transfer the FSMO roles to the new DC, and wait a few days for replication to complete. Once you're sure it's complete, run dcpromo on the old DC to remove it from the domain as a domain controller.
sammen Posted October 19, 2006 Author Posted October 19, 2006 It is a 2003 mixed-mode.Last time, I did the migration according to the Microsoft guides and it worked well. It's just that I suspect that the "parasites" migrated as well. You don't think that's possible?
cluberti Posted October 19, 2006 Posted October 19, 2006 Oh yes, very possible indeed if the trojan can spread itself. I'd make sure you have a good, up-to-date, realtime antivirus scanner running on the DC before adding it to the network at all, let alone joining the domain and dcpromo'ing the box. Also, having all security updates installed before going forward is a good option as well.
valter Posted October 20, 2006 Posted October 20, 2006 Did you check running services and processes? Have you checked your firewall logs?
Zartach Posted October 20, 2006 Posted October 20, 2006 Like some said here, you need to look at suspicious proccesses and services, make a point of isolating all but the required protocols to keep serving your domain. Check technet for required ports to do this, also check up on their security documentation on how to go about securing your system.You may also want to use specialized tools to make sure there is no virus and or malware installed. I frequently use HijackThis to check the system if i suspect an intrusion, most of the time that alone will make the problem apear. It is a standalone utility that solves a lot of problems for me.set up auditing on the DC on objects you suspect to be related and if possible do the same on the switch/router the system is behind. one you know what ports are required to keep the domain up you can check for open ports on the machine, see what process is attached to it and locate it on the disk. Everything malware can be removed, the real question is how long it will take and if it is worth the effort over doing an emergency recovery.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now