Since Technical Support can't help, can any other customers here offer some advice?

[Climar]

Hi all,

Since our server has been dead for over 14 hours and technical support seems to have missed the point of our ticket and not brought it back up, hopefully someone here (hoping but doubting) offer some advice on how to bring our server back up?

I've logged into Remote Desktop and restarted it from there. Our admin user account has been compromised and someone has changed the password. I've since changed it to something else. Restarting didn't seem to have any effect.

Any suggestions on what things to check for?

[Climar]

Looking at the even viewer, I found this

Source: sshd
Type: information
Event ID: 0
User: S-1-5-21-1883156685-1248245912-4277228172-1008

The description for Event ID ( 0 ) in Source ( sshd ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: sshd : PID 77196 : Failed password for illegal user webadmin from 60.190.133.90 port 38533 ssh2.

Does anybody know whethere there should even be a user S-1-5-21-1883156685-1248245912-4277228172-1008??

[jason]

The "username" you are reporting is a GUID (Globally Unique Identifier). Windows uses GUIDs to identify resources in the registry and other places in the system. When the system shows a GUID like that it means it can't find a matching user. In other words, the user account is no longer there.

A couple of things are possible, all of which should be investigated:
* You, or someone else with authority for your box, recently deleted a user account
* Support create and then removed a user account recently (possibly to test connectivity or some such)...have you recently opened any support tickets?
* Someone hacked in, created a user account, and then tried to cover their tracks (but not very well)

Since you mentioned that you were recently hacked, I'd be very suspicious.

--Jason

[thisisit3]

Your first mistake is that you use M$ Windoze on a server. Try running a real operating system, something that is truly secure, maybe FreeBSD or OpenBSD, or even Linux. But then again, if you knew this you wouldn't be asking for help and your server wouldn't have been hacked.

windoze users... tsk tsk tsk...

[Climar]

Jason, thanks for the reply.

thisisit3, you're an idiot.

"A real OS"? What? Windows OS is a make believe operating system that doesn't exist in our time space continuum? In an argument of science vs religion, you'd fall into the religion side of things.

From what you say, you must believe that hundreds of thousands of companies must be completely fooled by "M$" and their evil imaginary OS. Gee, aren't Microsoft smart tricking these big corporations out of millions of dollars?

All OSes will have their issues. Our previous services were running on CentOS builds for years and presented their own issues. Nothing is trouble free.

If you can't offer anything useful, then shut up with the "tsk tsk tsk" comments you religious little geek.

[jason]

Your first mistake is that you use M$ Windoze on a server. Try running a real operating system, something that is truly secure, maybe FreeBSD or OpenBSD, or even Linux. But then again, if you knew this you wouldn't be asking for help and your server wouldn't have been hacked.

windoze users... tsk tsk tsk...

Now, now, thisisit...while we're all thinking the same thing, he does have a legitimate problem. Shouldn't we help him dig out first and then suggest how he can improve things later?

--Jason

[JPC-Tracie]

Guys, I know it's frustrating to have done servers and to feel passionate about things but do me a favor pretty please and keep the name calling at bay.

Thanks!