We had a pretty shocking discovery the other day when a new client who has old systems in place (we are trying to convince to upgrade) had a whole lot of strange things on one of their server's screens. After taking a look, we discovered that someone had logged onto the server using vnc . We traced it back to someone in Turkey. They didn't do a great job of covering their tracks which is pretty unusual in my experience. Usually the only way you can tell your server has been hacked is because all the log files have been deleted. Considering how rubbish their internet connection is, they probably lost interest. What did they do? Well... essentially used various websites that sent spam email, pretending to be from Credit Agricole Bank to thousands of email addresses in France. Pretty serious stuff. They used different websites and different bits of software to do this. Step one is to block access to the server for them to carry on utilising the server as a gateway. Note the...
Well finally had to do a complete restore of the server. Did the first restore but the issue still existed. Tried a number of different troubleshooting steps including;
ReplyDeletetrying to find and delete the pending.xml file from the winsxs folder. However it was not there.
Cleared out the software distribution folder
Cleared out the pending registry keys.
Please try the below mentioned commands in recovery console:
C:\windows\system32\config
ren system system.old
ren software software.old
ren SAM SAM.old
ren security security.old
ren default default.old
ren components components.old
c:\windows\system32\config\regback
copy system.old C:\windows\system32\config\system
copy software.old C:\windows\system32\config\software
copy sam.old C:\windows\system32\config\sam
copy security.old C:\windows\system32\config\security
copy default.old C:\windows\system32\config\default
copy components.old C:\windows\system32\config\components
Nothing worked. Microsoft wanted me to send them a CBS log file to analyse it at which point i decided they didn't have a clue what to do and had more time than i was willing to give them. I left it doing another restore to the day before.
The fact is that a windows update totally killed the server and we had to do a complete restore of the whole system from backup. Lucky we had a full backup but i still think it is a little disgusting that this happened in the first place and Microsoft have no answer as i saw this posted a lot on the net with no solutions.