locked
AD Security Issue? --- Local profiles being created with active directory accounts with no authorization RRS feed

  • Question

  • Recently, we have discovered that various local profiles have been created on different computers on our network.  We are running around 1,000 to 1,200 computers, in an Active Directory environment. 

    Also, we are finding 1.exe and 2.exe running on these machines. Also, NTVDM.exe running anywhere from 95% to 100% CPU at a constant rate.  Google searching concluded that this relates to terminal service servers running mixes of 16-bit and 32-bit apps.  One of my colleagues found that RADIUS may be a factor.  We took our recently created RADIUS server offline.

    To give you an idea of how large scale this issue appears I am the only one who actively logs on to my computer, using domain credentials.  We don't use local accounts, except for administrator.  There are a few other users who seldomly log on.  My computer normally houses about 7 profiles.  Today, I had 60 profiles on my computer.  None of those users ever logged in to my computer.

    In addition to this, many of these profiles are high profile users in the school corporation, such as administrators.  However, these users don't have any type of Domain Admin access at all.

    In reference to the NTVDM.exe, there is one particular AD account that seems to be running the process.  His account was disabled today.  However, this did not stop the process from randomly appearing on our network.

    We have a subnetted network, but we do not have the subnets VLANed out.

    The profiles that keep creating themselves on machines are spreading throughout our network.  Not all of these profiles pop up on each computer, but certain ones are on nearly every one we have found infected.

    Only one of our servers (thankfully) has had the profiles pop up.  It was not a domain controller, but it is a server that is joined to the domain.  We run a Server 2003 Native environment.

    I don't know if this is related or not, but we did find a machine that was performing HEAVY WAN traffic.  We had the computer shut down.  This may or may not be the cause, but since it is frozen with Deep Freeze we are unable to view logs.  Our best luck with that is questioning people as to who was using the machine at the time.

    Hopefully this info isn't too terribly scattered.  Any help would be great!  5 of us (6 in our dept) worked for 8 hours today trying to isolate and determine what was going on.

    Saturday, February 28, 2009 12:38 AM

Answers

  • Hi, this is Windows HOME Server forum. Please post your question in appropriate forum.

    Having said that I think you have a major problem on your hands. Please have a look at this Symantec page and this F-secure page. Good luck! 
    • Proposed as answer by Lara JonesModerator Saturday, February 28, 2009 1:13 AM
    • Marked as answer by TechTJ Saturday, February 28, 2009 1:15 AM
    Saturday, February 28, 2009 1:08 AM
    Moderator

All replies

  • Hi,

    This is the forum for Windows Home Server and as such, we won't really be able to help you with AD questions. You will have more luck posting in the Windows Server forums.

    Thanks!
    Lara Jones [MSFT] | Program Manager
    Community Support and Beta | Windows Home Server Team
    Windows Home Server Team Blog
    Connect Windows Home Server
    Windows Home Server
    Saturday, February 28, 2009 12:54 AM
    Moderator
  • Hi, this is Windows HOME Server forum. Please post your question in appropriate forum.

    Having said that I think you have a major problem on your hands. Please have a look at this Symantec page and this F-secure page. Good luck! 
    • Proposed as answer by Lara JonesModerator Saturday, February 28, 2009 1:13 AM
    • Marked as answer by TechTJ Saturday, February 28, 2009 1:15 AM
    Saturday, February 28, 2009 1:08 AM
    Moderator
  • I have posted this question to the proper forum now.  Thanks for the links though.
    Saturday, February 28, 2009 1:16 AM
  • You're welcome. I'm pretty sure the you have a nasty virus on your network,  don't envy you.
    Saturday, February 28, 2009 1:31 AM
    Moderator