As you have read, we had a box get attacked last week. Still finding little things on it to fix. Like this gray box problem for RDP. Login and the screen would stay gray or the login box would just stay on top.
My friends online had some advice but the funny thing was no matter what we did, we could not manage to logon to the server at the console. Eventually I got RDP back up, after a LONG LONG delay.
How do you fix something that doesn't exist? HOTFIX! Maybe
Yes, you read that right, hotfix. Microsoft has released a specific hotfix:
But the underlying issues manifest themselves in many ways. Check your Windows Server Services carefully. We found a rogue Com+ entry as well as some other references that we disabled.
One thing which we did that also caused a problem was to disable numerous items that we no longer used. Evidently uninstall doesn't really for everything, who knew, right?
Two things we disabled, ended up blocking our log in. One was a remote control viewer software that should no longer be there, yet changing it affected login. Cleaning that up in registries and uninstall codes.
But the worse for wear server is back now, cleaned from the sole Blacklist it landed and humming along. Along the way I found a different server which was up for over 120 days so far. Given some fix packs came out in that time not sure why it got skipped but it is scheduled for updates over the long weekend.
So keep your head above water, work on getting the server back up, virus free of course and accessible while you do your forensics.
My friends online had some advice but the funny thing was no matter what we did, we could not manage to logon to the server at the console. Eventually I got RDP back up, after a LONG LONG delay.
How do you fix something that doesn't exist? HOTFIX! Maybe
Yes, you read that right, hotfix. Microsoft has released a specific hotfix:
Once the server is back up, run different virus programs than your normal one, Sophos runs a 30 day trial version, handles servers too. Run MalwareBytes too.Article ID: 942880 - Last Review: February 1, 2010 - Revision: 2.0A Windows Server 2003-based computer may stop responding after you enter your user name and password in the Windows logon dialog box
But the underlying issues manifest themselves in many ways. Check your Windows Server Services carefully. We found a rogue Com+ entry as well as some other references that we disabled.
One thing which we did that also caused a problem was to disable numerous items that we no longer used. Evidently uninstall doesn't really for everything, who knew, right?
Two things we disabled, ended up blocking our log in. One was a remote control viewer software that should no longer be there, yet changing it affected login. Cleaning that up in registries and uninstall codes.
But the worse for wear server is back now, cleaned from the sole Blacklist it landed and humming along. Along the way I found a different server which was up for over 120 days so far. Given some fix packs came out in that time not sure why it got skipped but it is scheduled for updates over the long weekend.
So keep your head above water, work on getting the server back up, virus free of course and accessible while you do your forensics.
We are seeing this occur now on our Lotus Notes servers. The MS hotfix appears to work...did you end up applying it? Or do you suspect it was related to the virus attack. Oddly, it's only happening on our Lotus Notes servers, and no other non-Lotus Windows 2003 servers. And it's not all of them...just a small percentage but still disconcerting. I will do the services comparison to see if there are any anamolies, but if you have any other suggestions, that would be great.
ReplyDeleteRan the hotfix as I recall. Check also to see if any policies have changed or remote access has been changed.
ReplyDeleteIt was a very odd situation and only affected the one server. So not a consistent problem for all.
My guess was a mixture of updates, configuration and rogue services caused it.
Check your startup as well for anything you don't recognize.
It really was, change, then test, change then test till we narrowed it down. happy to help if I can, reach me on one of the connections from the top left of the blog.