Active directory issues on hacked server — how to fix?

Topic

New Reply

Recently we got hacked and part of the result is that we can’t open ADUC on this server anymore. And “some” network related things (like Antivirus definition updates) don’t work (although we can remote desktop to it.

I’m still new to AD stuff, but need to get this working. What happens is that if I clikc on ADUC (or any AD tool) I get a message that says:
“Naming information cannot be located for the following reason: The server is not operational”.

This server and the other AD server are running 2003 (but in domain functional level “2000 mixed” if that matters).

Any ideas of what to check on how to fixt this? (Note that AD is fine on the primary AD server).

Thanks,
Spacewalker

Reply | Quote

Replies

What you haven’t told us is whether the computer is a domain controller or performs some other function.
If it’s just a DC and not the primary one I would rebuild it from scratch – this is not a simple task, more later.
If it performs another function we need information about what it does and where the data is stored.

To rebuild a broken DC you need to turn it off and then remove references to it from AD.
1. Seize any FSMO roles it was performing.
2. Remove it from AD.
3. Rebuild and promote it – DCPROMO.

cheers, Paul

Reply | Quote

Hi Paul,
Yes it’s a DC (at least I think so – but not sure how to tell now) but not our primary DC. It does the following (note, way too many things):
Windows 2003 Standard 32 bit SP2
– Active Directory
– DNS (is Active Directory Integrated)
– File Server
– Application Server
– SQL Express
– FTP
– Web Server
OS is on C, program data is on D, and various shares on D hold the user and share folders for company data.

According to netdom, all the FSMO roles are on a different server than this one.

Reply | Quote

Run this DOS command to see the IP addresses of all the DCs, where domain is the full domain name, e..g. ad-domain.com.

Code:

nslookup [I]domain[/I]

I would re-build the OS on C: from scratch, being careful not to delete D:. These steps are required to backup all the bits you need.
1. Shares are all stored in the registry. Just export the key HKLMSYSTEMCurrentControlSetServiceslanmanserverShares, then import it to the new server.
2. SQL databases are just files. Identify the location, stop the service and copy the files to D:.
3. FTP / IIS are just files with a little bit of config in the registry. Copy Inetpub, or wherever your web site root is, to D:.
4. Download “iisback.vbs” then run this command.

Code:

cscript %systemroot%system32iisback.vbs /backup /b IISConfigBackup

The application will need to be re-installed – can’t really help with that one.

cheers, Paul

Reply | Quote

Thanks Paul. Oddly when I run nslookup domain I get only 1 server listed (call it server01). However the server I’m having issues with is running AD as well but isn’t showing up on the nslookup list for some reason (call this box server02).

Can we just reinstall from Win 2003 Std CD overtop of existing and it’ll replace all files on C or do we need to do something else?

Sorry for the questions, but I haven’t had to re-install a server before (install, yes – re-install due to malware, no).

Thanks,
John

Reply | Quote

Only one server means you have one Global Catalog and possibly other DCs. Try “DCDIAG” from a DOS box on the problem machine. The other test is at the logon prompt of the server, try to select another domain. If you only have one option it’s a DC.

Re-install over the top is no problem, but you need to be careful not to delete D:.
You will need to clean up AD before promoting the new server.

cheers, Paul

Reply | Quote

dcdiag doesn’t work from cmd (even elevated), but it’s 2003, so perhaps not installed on that server (we have no 2008 servers).

Can/Should we rebuild this server with the same name, or use a new name and new IPs (to hinder further hits from remote sources on old box IPs/name)? Any issue either way? (keep name & ips versus changing them)? (other than having to point users to another address, but GP makes that trivial…probably)

Reply | Quote

DCDIAG is loaded as part of the 2003 admin tools. You can run it from another machine and point it at the bad server.
You can use a new name if you want, but you still need to clean up AD. No issues either way.
Why don’t you close the external firewall so only 80 & 443 get through?

cheers, Paul

Reply | Quote

Active Directory is a REPLICATED environment, it depends on all the DCs talking to each other.
You said the server was hacked, but not how long you took it offline to ‘clean it up.
Recommended practice is to have at least one workstation setup with the ‘Remote Server Administration Toolkit’ (RSAT).
This gives you a connection to Active Directory without being a server.

Hacked servers should always be removed from the network as soon as you know they are compromised.
Servers (especially DCs) should be thoroughly tested before reconnecting, at which point DCs will resync with the AD.
Any DC where the AD tools no longer work should be considered a time bomb waiting to kill your network.

A compromised DC requires you verify the status of every account, every group, and every share for permissions!

From the list of roles (services) provided by that server you will need to check a lot of event logs.

Also check your Group Policy settings, and remote access permissions.

Good Luck.

Reply | Quote

Thanks Howard2nd.
This server environment is not managed in any way. There are no real backups of AD or DNS (IT head considers having a 2nd DC/AD good enough – I know, don’t start….)

I’m newish to GP and AD, and can poke around a bit, but have no baseline policy to compare to, so don’t know what was changed.

So a question – since I think the only policy we DID have in place prior to this was: a) logon script to map user drive, b) password policy (lax though it was), and c) using WSUS for updates (which I need to change somehow to be back to users PCs take care of it them selves since I can’t get WSUS to work now), would I be safe in just removing ALL policies I find in GP and starting over?

Do I need to change things to “not configured” for all things first?

Not sure how to tread here on this one, but so far I’ve heard from a user that they can no longer pull up their IE favorites, even if they find the favorites folder. I’m assuming this is related to GP changes as I’ve see computers now saying (when the start up) “applying computer policies” and then “user policies” – I NEVER saw that before so I known some possible major changes have been made and I don’t want these attackers having any help in future attacks.

I appreciate the help!

Thanks.

Reply | Quote

First, an AD backup to disk is simple and fast, there is no excuse not to do one every day and keep the last 7. Use NTbackup – search the web for details.
Second, if your AD config had changed you would be hearing from more than one user. Favorites are ususally local to the PC and not controlled by AD – unless you have a roaming profile.

Logon script is easy to identify and check, look in the users’ profile in ADUC, or in a domain level GPO.
Password policy is applied at domain level, probably the same GPO as above.
WSUS is probably in the same GPO as well. Don’t change it as you can easily re-install WSUS when you re-build the server.
I would leave all GPOs inplace, but check that they are OK – most likely they are fine. Un-setting a GPO is not just a change to not configured, you usually need to remove the setting, then when all settings have been applied, change it to not configured. This is not always the case though.
All computers should say “applying policies” at startup, you proably didn’t notice before.

Note: The WSUS database is SQL. You probably need to collect all SQL database files and drop them back on the new server – after backing up the originals.

cheers, Paul

Reply | Quote

Thanks Paul T.
Any suggestions for this:
We need to reinstall our OS (Win 2003 Std 32-bit) on the “C” drive of our server after a hack attack. This server is our file server and the “D” drive contains ALL the network shares and user folders (for user file backup copies etc).

The folders have a mix of share and NTFS permissions currently due to hands-on managing of permissions (by a former IT employee) and some were setup with a share software package (Varonis), but that trial has ended.

I am concerned that when I reinstall the OS on C, that I’ll loose permissions on “D”, even if I recreate the same Shared Folder names.

Can someone tell me what will happen and/or the correct “best practice” way to prepare those existing shares and folders before and after the OS reinstall so that everyone retains their permissions without us having to manually do what the head of IT wants us to do currently (unless he’s right), which is:

1) Remove all NTFS permissions just prior to reinstall of OS

2) After OS reinstall, go back and set permission again on each share folder and user folder.

Note: Some folders may have stopped inheriting permissions, so this may not be as easy as top-down massive changes.

Help. I really don’t want to do this and find out no one can get to their data or we might be in serious trouble.

Thanks in advance!

Reply | Quote

NTFS permissions are kept with the files in the MFT. Leave the data intact and the permissions are also intact – unless you re-install AD from scratch.
Shares are in the registry. Export, import, re-start the SERVER service, or re-boot.
Do NOT remove any permissions – you will be sorry. Tell head of IT to google where are ntfs permissions stored.

I can guarantee that this works, I’ll even buy you a beer if it doesn’t.

cheers, Paul

Reply | Quote