Re: Hidden shares on PDC AD Win2K server self disabling?
- From: Whitehatter <email-bad@xxxxxxxxxxxxxxxxx>
- Date: Fri, 29 Jul 2005 02:54:55 GMT
Turns out we got nailed by a new exploit on the net... rather unfriendly
critter it is too.
Symptoms include missing admin shares (IPC$ etc) and strange share
behaviours on other network available folders.
You may also find that your sysvol\domain\scripts have gone missing.
We followed up with Microsoft to help track down what was going on, and it
was tracked back to a file named sysinit32.exe in the winnt\system32
folder. After killing the process, deleting the file and removing all
references to it from the registry we were able to restart the Server
service and successfully recreate the shares.
The malware has been submitted, so hopefully we'll see some patches and AV
signatures coming out soon.
On Thu, 28 Jul 2005 10:20:14 +0200, Miha Pihler [MVP] wrote:
> Hi,
>
> Can you check System and Application logs on this server? Are there any
> errors or other events that might give any clues to the problem?
>
> Also check out ...
> Virus scanning recommendations on a Windows 2000 or on a Windows Server 2003
> domain controller
> http://support.microsoft.com/default.aspx?scid=kb;en-us;822158
--
~^~
// "\\ /\\
\\ // //\\\ -------------------
@ // ///=\\SCII Ribbon Campaign
X /=---=\\gainst HTML E- Mail
X /// \\
// \\ ----------------------------
\ // \\
\// \\
\\
.
- References:
- Re: Hidden shares on PDC AD Win2K server self disabling?
- From: Miha Pihler [MVP]
- Re: Hidden shares on PDC AD Win2K server self disabling?
- Prev by Date: Dcpromo failed with "Directory object not found"
- Next by Date: RIDManager and MachineAccount Failures in DCDIAG
- Previous by thread: Re: Hidden shares on PDC AD Win2K server self disabling?
- Next by thread: Restoring an earlier version of AD
- Index(es):
Relevant Pages
|
