W2K Server SBS

[Kevin]

Help! I am the IT admin for a small company and we have a problem with our
server. Several weeks ago the server was hacked and all the accounts were
disabled in MS Exchange 2000. Even the admin account was disabled. It took
an outside consultant over five hours with a dictionary program to break
back into the server and help me to get it fixed. The hackers installed mIRC
and other software including some script that runs when the server boots. I
cannot find this script and do not know its purpose.
Last Saturday a new problem has developed. When the server boots I get a
screen titled Service Control Manager stating: At least one service or
driver failed during system startup. Use Event Viewer to examine the event
log for details.
After that screen the system seems to hang during the boot process on the
screen saying "Preparing network connections...". This often takes 10-15
minutes before I get the log on screen. This server is our PDC.
Once I have logged on to the server active directory is not present and MS
Exchange also is disabled. The computer cannot see the network. I can ping
the NIC and the router both with no lost packets but network is still
unavailable. When I try to access the active directory I get an error
message stating the "Naming information cannot be located because: The
server is not operational. Contact your system administrator to verify that
your domain is properly configured and is currently online." After this the
Active Directory Snap-In pops up with a red 'x' in the left pane.
From the Event Viewer I get the following errors: System Log: Print-The
PrintQueue Container could not be found because the DNS domain name could
not be retrieved. Warnings Netlogon-Dynamic registration or deregistration
of one or more DNS records failed because no DNS servers are available.
Another critical warning is DCOM Access denied attempting to launch a DCOM
Server. The server {9DA0E106-86CE-11D1-8699-00C04FB98036} The user is
SYSTEM/NT AUTHORITY,SID=S-1-5-18.
Another warning is Service Control Manager The Microsoft Exchange
Information Store service depends on the Microsoft Exchange System Attendant
service which failed to start because of the following error: %%0.
In the Directory Service Log I have a warning from NTDS: The attempt to
communicate with global catalog... failed with the following status:
The RPC server is unavailable.
The operation in progress might be unable to continue. The directory service
will use the locator to try find an available global catalog server for the
next operation that requires one.
The record data is the status code.
The above warning was followed by an error: Unable to establish connection
with global catalog.

Based on the myriad problems listed above I sure could use some guidance
from those that know more than me. I have applied the Blaster patch to the
server because of the RPC references in the Event Viewer logs and regularly
apply patches that MS recommends. Norton Antivirus Corporate Edition ver 7.5
has been installed and maintained for several years. The virus definitions
are current and system scans have not found any Worms or Trojans.
Please reply to the group. Thank you for your help.
Kevin Y

 

[Vivien Wu [MSFT]]

Hello,

Please refer to the article below to resolve the issue.

257346 "Access This Computer from the Network" User Right Causes Tools Not
to
http://support.microsoft.com/?id=257346

Thanks.

--------------------
| From: "Kevin" <[email protected]>
| Subject: W2K Server SBS
| Date: Tue, 26 Aug 2003 09:34:37 -0400
| Newsgroups: microsoft.public.win2000.dns
|
| Help! I am the IT admin for a small company and we have a problem with our
| server. Several weeks ago the server was hacked and all the accounts were
| disabled in MS Exchange 2000. Even the admin account was disabled. It took
| an outside consultant over five hours with a dictionary program to break
| back into the server and help me to get it fixed. The hackers installed
mIRC
| and other software including some script that runs when the server boots.
I
| cannot find this script and do not know its purpose.
| Last Saturday a new problem has developed. When the server boots I get a
| screen titled Service Control Manager stating: At least one service or
| driver failed during system startup. Use Event Viewer to examine the event
| log for details.
| After that screen the system seems to hang during the boot process on the
| screen saying "Preparing network connections...". This often takes 10-15
| minutes before I get the log on screen. This server is our PDC.
| Once I have logged on to the server active directory is not present and MS
| Exchange also is disabled. The computer cannot see the network. I can ping
| the NIC and the router both with no lost packets but network is still
| unavailable. When I try to access the active directory I get an error
| message stating the "Naming information cannot be located because: The
| server is not operational. Contact your system administrator to verify
that
| your domain is properly configured and is currently online." After this
the
| Active Directory Snap-In pops up with a red 'x' in the left pane.
| From the Event Viewer I get the following errors: System Log: Print-The
| PrintQueue Container could not be found because the DNS domain name could
| not be retrieved. Warnings Netlogon-Dynamic registration or deregistration
| of one or more DNS records failed because no DNS servers are available.
| Another critical warning is DCOM Access denied attempting to launch a DCOM
| Server. The server {9DA0E106-86CE-11D1-8699-00C04FB98036} The user is
| SYSTEM/NT AUTHORITY,SID=S-1-5-18.
| Another warning is Service Control Manager The Microsoft Exchange
| Information Store service depends on the Microsoft Exchange System
Attendant
| service which failed to start because of the following error: %%0.
| In the Directory Service Log I have a warning from NTDS: The attempt to
| communicate with global catalog... failed with the following status:
| The RPC server is unavailable.
| The operation in progress might be unable to continue. The directory
service
| will use the locator to try find an available global catalog server for
the
| next operation that requires one.
| The record data is the status code.
| The above warning was followed by an error: Unable to establish connection
| with global catalog.
|
| Based on the myriad problems listed above I sure could use some guidance
| from those that know more than me. I have applied the Blaster patch to the
| server because of the RPC references in the Event Viewer logs and
regularly
| apply patches that MS recommends. Norton Antivirus Corporate Edition ver
7.5
| has been installed and maintained for several years. The virus definitions
| are current and system scans have not found any Worms or Trojans.
| Please reply to the group. Thank you for your help.
| Kevin Y
|
|
|

Sincerely,

Vivien Wu
MCSA, MCSE2000 and MCDBA2000
Microsoft Partner Online Support


Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please Reply to Group via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided AS IS with no warranties, and confers no rights.

 

[Lanwench [MVP - Exchange]]

Do you have good backups (including *online* backups of Exchange)?

In a case like this, rather than screw around with bandaids, I'd do a
complete wipe and reinstall of the box - patch it with ALL critical updates
and recommended updates where relevant, get a good firewall in place
(hardware appliance protecting your network, blocking all but port 25 for
SMTP and 443 for Outlook Web Access (install SSL). The firewall should be in
place before you connect the server/network to the Internet.

You will never know for sure what else is wrong with the box, and the clock
is ticking.