Re: Random file deletions



Though this does not answer your direct question I would have to wonder why
the users that apparently are deleting the files have modify/full
control/delete permissions to executables unless they are local
administrators and have valid reasons to be such. Though not a fix to the
problem you could at least temporarily make sure that no user or group
including administrators have modify/full control/delete permissions to
these files to see what happens [though of course administrators can always
give themselves access] . It certainly sounds like some sort of malicious
activity maybe caused by someone good at covering their tracks. I am not
sure what you mean by migrated but if the computer has been compromised then
you really should do a pristine install of the operating system bringing it
up to the patch and service pack level that it had before, reinstall
applications, restore data, and restore the System State from backup.

In addition other things that I would try would be to verify that only
authorized users/groups are members of any administrator groups on the
server including administrators, domain admins, schema admins, and
enterprise admins and also other privileged groups such as server operators.
Passwords for users in those groups need to be changed. You can use Group
Policy Restricted Groups to enforce membership in those groups though that
is not foolproof if an attacker gets a foothold. The computer should be
scanned for viruses and spyware in both regular and Safe Mode being sure
that you use latest definitions for both and checked for a hardware keyboard
logger that could be connected in the back to one of the ports. It could
also have a software keyboard logger installed that maybe a spyware/malware
detection program might find and that could explain a lot.

The SBS server needs to be physically secured to some degree to prevent
access by a malicious user. Another thing to keep in mind is to never ever
logon to a domain workstation that is not a secured admin workstation with
any account that has administrator powers in the domain. It is very easy for
a malicious user to capture credentials for such on their workstation or
configure their computer with scripts that use that administrator account to
take over the domain or allow malware on their workstation to do such. If
you do not need to use Remote Desktop to access the SBS server then disable
it at least temporarily.

In addition I would use Autoruns on the SBS server to see what it finds as
startup processes and I believe it may look for Group Policy scripts and
Scheduled Tasks. You should still check for any Scheduled Tasks to make sure
they are legit. Process Explorer may also be helpful to see if any
malicious processes are found and RootkitReavealer from SysInternals [free]
can be used to see if it finds any rootkits installed on the server which
malware/spyware programs will usually not find.

http://www.sysinternals.com/Utilities/Autoruns.html --- Autoruns from
Sysinternals

I would also be sure to look in the security logs to see if there is any
suspicious activity and be sure that auditing of account logon events, logon
events, account management, system events, and policy change are enabled for
success and failure. I would also enable auditing of process tracking until
the problem is found and use it to try and correlate processes to the file
deletions by time shown in the log which may provide a clue. Also look at
logon events at times around when the deletions happen to see if that can
provide any clues in case a user is doing it remotely and from what
computer. Account Management events can show if users passwords have been
changed and by whom and if any group memberships have been changed and by
whom. Your security log will need to be fairly large such as probably 50MB
or so. The fact that you have traced it to users that are not even around is
very troubling and indicates that someone has complete control of the server
and can capture user credentials to impersonate them. --- Steve


<joe@xxxxxxxxxxx> wrote in message
news:1140798696.456504.170410@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I have a very strange problem that I can't figure out. I was wondering
if anyone has seen this before. We have a network with about 40
workstations and a SBS server. It has one application that nearly
everyone runs to perform their day to day work from the server. About
six weeks ago several files disappeared from the executable directory
for the app. We did a restore and moved on. A couple days later it
happened again, and again and then again. We had a new server ready to
install for this company anyway, so we rushed it in. We migrated them
from an SBS 2000 machine to a new SBS2003 machine and in the process
changed everyone's passwords. After a few problem free days on the new
server the files disappeared again. We enabled logging on the server
and we can see that they are getting deleted by a couple different
users. These users were just working in the app. at the time. I don't
think they are sophisticated enough to be malicously deleting these
files. Sometimes they are deleted by users who aren't even in the
office and who's machines are shut down. The server has Norton
corporate 10.0.2 as do all workstations. The Norton logs show no
viruses detected on any machine on the network. We have virus scanned
all machines. We've had Microsoft analyze our ip and they found no
vulnerabilities (we have a SonicWall firewall). The company claims
their application runs no scripts that would do this, and the file
deletions sometimes occur in other directories that aren't related to
that software in addition to the main app. We have an incident going
with Microsoft on this. We've had their techs connect in and look at
our server and a couple workstations and they've found nothing unusual.
The deletions always start with the .com file for the application.
Sometimes that is the only file that gets deleted and sometimes it is
hundreds of files that get delted. They delete in alphabetical order
over a very short period of time directory by directory. We've put
filemon on the server, but we don't get much info from it. We put
filemon on all of the workstations, but that brought the network to a
grinding halt, so we had to remove it.

Any ideas on this for me?

Thanks,

Joe



.



Relevant Pages

  • Re: Windows 2003 - User Logins vs Software
    ... > We have recently installed a Windows 2003 domain server. ... admin, open "Active Directory Users and Computers", locate the workstation ... "Administrators" group under "Local users and Groups". ...
    (microsoft.public.windowsxp.security_admin)
  • Re: User unable to install software
    ... Are you talking about users installing software on the server or on ... Is showing as being a member of the administrators group on the ... Effectively this gives the user all capabiliites to the workstation ... however one user can install software and the other can't and I ...
    (microsoft.public.windows.server.sbs)
  • Re: User unable to install software
    ... away at the server. ... Is showing as being a member of the administrators group on the ... 'Repair' a Network Connection or disable and enable a Network ... Effectively this gives the user all capabiliites to the workstation ...
    (microsoft.public.windows.server.sbs)
  • Re: User unable to install software
    ... Is showing as being a member of the administrators group on the ... 'Repair' a Network Connection or disable and enable a Network ... Effectively this gives the user all capabiliites to the workstation ...
    (microsoft.public.windows.server.sbs)
  • Re: Re-Post - "the trust relationship between this workstation and
    ... There were no logged events in either the DC or workstation. ... DC/DNS Server - DCDiag ... Attr: subschemaSubentry ... only problem is adding a new user account on the station. ...
    (microsoft.public.windows.server.active_directory)