Wednesday, August 19, 2009

The worm ate my SharePoint homework

Let me start this post with a question I had to answer today

If your SharePoint Web Front End server suddenly loses its connection to the database server. What is the first thing that comes to your mind?

In my case, plenty of stuff, from pure hardware breakdown to a very convoluted side effect of my last modification. The latest being a click on “Add a Link” in the navigation settings, I was a bit skeptic about that :)

Actually, I hadn't even started to imagine the actual cause. After checking the status of the DB server and digging through the event logs, it seemed like there was a problem with some account that had “insufficient privileges”. Opening my favorite AD Explorer (AdExplorer by SysInternals actually ;-) ), I checked the service accounts used by MOSS and bingo, they were locked.

Telling the client about my findings they found out why quickly. Some computers were infected by a variant of conflicker, a worm that would try breaking admins password open using a dictionary attack, thus locking the accounts.

So here is today finding:

When the WFE loses its connection to the database server, check your antivirus ;-)

Photo : Structure of the influenza virus / Influenza en México 6 credit Hector Aiza @Flickr

No comments: