User accounts have gone missing!
in [Storage]
|
From: Yousuf Khan on 29 Jul 2010 18:46 On 28/07/2010 6:31 PM, Arno wrote: >> However, the fact that all of the administrator accounts were disabled, >> while the non-admin accounts were fine does lead me to believe perhaps >> someone was trying to seize the machine. However, the machine was behind >> a NAT router, so it's hard to understand how they planned to take over >> this machine. > > Hmm. Maybe they hacked the NAT first? Would not be the first time. > Anyways, good success with the cleanup. Well, I don't know how they can, the firewall is inside a Dlink broadband router with all external interfaces turned off. It's not the well-known hackable Linksys WRT54G router. I'm going through the event logs right now, but it's a needle in a haystack. Where would I notice unauthorized access? Will it even leave a trace in the event logs? There were several errors, warnings, and criticals during the time period in question, but that's no different than what was there before that time period. Yousuf Khan
From: Gordon on 30 Jul 2010 02:48 On 29/07/10 23:11, Yousuf Khan wrote: > On 29/07/2010 12:00 PM, GlowingBlueMist wrote: >> On 7/28/2010 1:18 PM, Yousuf Khan wrote: >>> On 26/07/2010 12:12 AM, Frank wrote: >>>> Boot from your Win 7 DVD, if you have one, and do a system restore. >>> >>> I looked into that possibility, but my last full backup was from April >>> 2010, so it would've set the system back too far. Using the password >>> cracker option, I was able to get it back to the level where I last left >>> it. >>> >>> Yousuf Khan >> Glad you got it working too. >> >> I wonder, did you try booting into the safe mode and using the built in >> Administrator account or was that disabled as well? > > That was disabled as well. > > Yousuf Khan That's by default, so don't worry about that.
From: Arno on 30 Jul 2010 06:40 In comp.sys.ibm.pc.hardware.storage Yousuf Khan <bbbl67(a)spammenot.yahoo.com> wrote: > On 28/07/2010 6:31 PM, Arno wrote: >>> However, the fact that all of the administrator accounts were disabled, >>> while the non-admin accounts were fine does lead me to believe perhaps >>> someone was trying to seize the machine. However, the machine was behind >>> a NAT router, so it's hard to understand how they planned to take over >>> this machine. >> >> Hmm. Maybe they hacked the NAT first? Would not be the first time. >> Anyways, good success with the cleanup. > Well, I don't know how they can, the firewall is inside a Dlink > broadband router with all external interfaces turned off. It's not the > well-known hackable Linksys WRT54G router. > I'm going through the event logs right now, but it's a needle in a > haystack. Where would I notice unauthorized access? Will it even leave a > trace in the event logs? There were several errors, warnings, and > criticals during the time period in question, but that's no different > than what was there before that time period. You can try a different appoach: Seach for known vulnerabilities for this device. It is quite possible that the logs will not help. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno(a)wagner.name GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
From: Yousuf Khan on 30 Jul 2010 17:56 On 30/07/2010 2:48 AM, Gordon wrote: > On 29/07/10 23:11, Yousuf Khan wrote: >> On 29/07/2010 12:00 PM, GlowingBlueMist wrote: >>> I wonder, did you try booting into the safe mode and using the built in >>> Administrator account or was that disabled as well? >> >> That was disabled as well. >> >> Yousuf Khan > > That's by default, so don't worry about that. > It's still a mystery why the other accounts got disabled. Wonder if it could've been a Microsoft bug? Yousuf Khan
From: Frank on 30 Jul 2010 19:39
On 7/30/2010 2:56 PM, Yousuf Khan wrote: > On 30/07/2010 2:48 AM, Gordon wrote: >> On 29/07/10 23:11, Yousuf Khan wrote: >>> On 29/07/2010 12:00 PM, GlowingBlueMist wrote: >>>> I wonder, did you try booting into the safe mode and using the built in >>>> Administrator account or was that disabled as well? >>> >>> That was disabled as well. >>> >>> Yousuf Khan >> >> That's by default, so don't worry about that. >> > > It's still a mystery why the other accounts got disabled. Wonder if it > could've been a Microsoft bug? > > Yousuf Khan More likely, an operator error. |