Hello. I don't know how you can help me.. but I will to tell what
happened anyway:

We run a dedicated web-server (2003 sp2, iis6, mssql 2005 express
sp2, .net 2.0), which stays at a hosting company. The Server runs
quite some time, over one year, without any problems.. Now I had the
marvelous idea to change the default administrator. Since we got our
server, we left the default administrator account together with the
default password.. yes, yes, I know!!

Well, today was the glourious day, I created a new administrator
account, gave it a rocksolid password, and deactivated the old
administrator. All went fine. Then, I sent an email to my coworker, in
which I wrote down the new account name together with its password and
the domain name (.....) all in clear text.

Around 30 minutes after I sent the mail.. BAM! The website is blocked:


------------------
"You are not authorized to view this page
You do not have permission to view this directory or page using the
credentials that you supplied.
--------------------------------------------------------------------------------

Please try the following:

Contact the Web site administrator if you believe you should be able
to view this directory or page.
Click the Refresh button to try again with different credentials.
HTTP Error 401.1 - Unauthorized: Access is denied due to invalid
credentials.
Internet Information Services (IIS)"

---------------

It doesn't accept the new administrator account as authorization.


And I cannot login with remote desktop, because it doesn't accept the
new account, it says wrong password. (It worked with the new account,
before I sent the mail)

I am certain the server got hacked. I guess the mail was sniffed, I
wrote it all down in cleartext, I even wrote down the domain name of
the website in there, and sent it out without any form of encryption.

But, and here is the reason why I write this: Maybe, well, how dumb
that guess maybe, but, the hope dies at last.. maybe, it's not a hack,
but some sort of bug? Can that happen? Maybe because I deactivated the
old administrator? Or is there some sort of unpatched vulnerability I
should know about? (The server was fully patched, and all but the
needed ports (80, 25 etc.) were closed)

Well. I am almost 100% certain it's a hack, but like I said, maybe you
know something I don't.

Maybe you wrote the password down wrong? there is a nordahl boot disk
that can find the admin account, blank the password, and you can then
set it. it's at

http://home.eunet.no/pnordahl/ntpasswd/

and it's widely known...

THERE ARE WARNING AND CAVEATS ALL OVER THE PAGE. IT WORKED FOR ME. IT
MAY NUKE YOUR MACHINE. READ THE DIRECTIONS CAREFULLY. DO NOT EAT THE
SHIPPING PACKING.. ;-)

and it's good to use. I had to use it when I did exactly what you just
described. it's embarrassing. also, if the puter is hacked, you'll
regain control to boot. (pun intended)

j.

PSiegmann@mail.nu wrote:

Sorry for following up my own post. This is a PRIME example of why
servers need to be physically secured so no-one can walk up with a
floppy/cd, and help themselves to all your stuff.

Brains,None wrote: