Wednesday, May 25, 2011

RDP Gray Screen of Volcanic Ash

As you have read, we had a box get attacked last week. Still finding little things on it to fix. Like this gray box problem for RDP. Login and the screen would stay gray or the login box would just stay on top.

My friends online had some advice but the funny thing was no matter what we did, we could not manage to logon to the server at the console. Eventually I got RDP back up, after a LONG LONG delay.

How do you fix something that doesn't exist? HOTFIX! Maybe

Yes, you read that right, hotfix. Microsoft has released a specific hotfix:

Article ID: 942880 - Last Review: February 1, 2010 - Revision: 2.0
A Windows Server 2003-based computer may stop responding after you enter your user name and password in the Windows logon dialog box
Once the server is back up, run different virus programs than your normal one, Sophos runs a 30 day trial version, handles servers too. Run MalwareBytes too.

But the underlying issues manifest themselves in many ways. Check your Windows Server Services carefully. We found a rogue Com+ entry as well as some other references that we disabled.

One thing which we did that also caused a problem was to disable numerous items that we no longer used. Evidently uninstall doesn't really for everything, who knew, right?

Two things we disabled, ended up blocking our log in. One was a remote control viewer software that should no longer be there, yet changing it affected login. Cleaning that up in registries and uninstall codes.

But the worse for wear server is back now, cleaned from the sole Blacklist it landed and humming along. Along the way I found a different server which was up for over 120 days so far. Given some fix packs came out in that time not sure why it got skipped but it is scheduled for updates over the long weekend.

So keep your head above water, work on getting the server back up, virus free of course and accessible while you do your forensics.