Servers automatically getting renamed!!!

[Guest]

In my windows 2000 and 2003 environment, there is a problem going on, each
week or month one of the servers renames and takes the name of a server "abc"
which already exists in the network, The issue has been going on I have
enabled auditing and check each time the server has been renamed for event
560 in the security logs for mof\dification to the registry(host name), I am
not able to get a solution so far, can any one help me get to a solution.

PS: There are no network scripts running
All the servers apparentlt take one name "abc"
abc server is a simple windows 2000 running an application and is not a DC
or holding any special previlidges.

 

[Pegasus \(MVP\)]

In my windows 2000 and 2003 environment, there is a problem going on, each
week or month one of the servers renames and takes the name of a server "abc"
which already exists in the network, The issue has been going on I have
enabled auditing and check each time the server has been renamed for event
560 in the security logs for mof\dification to the registry(host name), I am
not able to get a solution so far, can any one help me get to a solution.

PS: There are no network scripts running
All the servers apparentlt take one name "abc"
abc server is a simple windows 2000 running an application and is not a DC
or holding any special previlidges.

The answer is probably in your trailer: ""Old jokers never die.
They just terminate and play silly games." In other words,
look around you and check who is in a position to play
this trick on you. A good starting point might be to change
the password for each and every admin account.

 

[Guest]

I don't think so. I have admin acct passwd to limited people. and any server
that is getting renamed is getting the same new name! I also tried keeping
admin passwd with me only for certain time period but few servers were
renamed during that period too!

Its real puzzling how its all happening?

 

[Pegasus \(MVP\)]

It is a safe assumption that Windows does not change a
computer name by itself. If it did then we would have heard
about it a long time ago.

It follows that this is done by an outside agent. This could
be a hacker, a joker, or a virus/malware program. To isolate
it, you must start collecting evidence. Create the following
batch file c:\windows\ticker.bat

Line1 @echo off
Line2 echo %date% %time:~0,5% %ComputerName% %* >> c:\Logs\Name.log
Line3 regedit /e c:\Logs\name.txt
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerNa
me"
Line4 for /F "tokens=2 delims==" %%a in ('type c:\Logs\name.txt') do echo
%%a >> c:\Logs\Name.log
c:\tools\psloggedon >> c:\Logs\Name.log

Now use the Task Scheduler to schedule two jobs:
1. One job to launch this command each time the server starts:
c:\windows\ticker.bat Server Booting up
2. One job to launch this command once every 10 minutes,
24 hours a day, 7 days a week:
c:\windows\ticker.bat

When the next name change happens, examine the log file
carefully. It will tell you this:
1. When the computer name was changed.
2. When the server was rebooted.
3. When the new name became visible.
4. Who was logged on.

You can download psexec.exe from www.sysinternals.com.

Let us know when you find the culprit!

 

[Guest]

Sure Pegasus, I will try this and let you know when I find it!

Thanks in advance