Re: Random file deletions

Quite different.

First, I totally agree with Steve - latch down the NTFS permissions on
the files as far as you can, if you have not already, while still allowing
the app to function.

You sound as if you have done most ways to investigate.
You say deletes are sometimes from users that are not even logged
on at the time. By that I am taking "users" to mean the people rather
than the accounts. You have viewed a consolidated security log of
the machines, such as with EventCombMT, to determine that the
account was not logged in _anywhere_ ?

Does the SBS allow for remote desktop logins ?? That would most
likely not raise eyebrows with the MS external scan, but would be
a route in once account/pwd are known.

Has the MS Malicious Software Removal Tool been run everywhere
with the February signatures (mentioned as it can catch some of the
rootkits afloat).

I also find the non-random, predictable pattern of the delete which
you have mentioned interesting - perhaps a key part of the puzzle.

Try changing all passwords, certainly for the accounts seen doing
the deletes at minimum, once more - this time with script or from
a remote desktop from your consultants laptop to the new SBS
(just trying to rule out any keylogging). Accounts are of minimum
power, right (on all machines) ?

My "guess" is that one (or more) of the desktops has some well
hidden compromise. Of course the task is to determine if so, and
to prevent anything from dirtying the new SBS in the meantime.

--
Roger Abell
Microsoft MVP (Windows Server : Security)

<joe@xxxxxxxxxxx> wrote in message
news:1140798696.456504.170410@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I have a very strange problem that I can't figure out. I was wondering
if anyone has seen this before. We have a network with about 40
workstations and a SBS server. It has one application that nearly
everyone runs to perform their day to day work from the server. About
six weeks ago several files disappeared from the executable directory
for the app. We did a restore and moved on. A couple days later it
happened again, and again and then again. We had a new server ready to
install for this company anyway, so we rushed it in. We migrated them
from an SBS 2000 machine to a new SBS2003 machine and in the process
changed everyone's passwords. After a few problem free days on the new
server the files disappeared again. We enabled logging on the server
and we can see that they are getting deleted by a couple different
users. These users were just working in the app. at the time. I don't
think they are sophisticated enough to be malicously deleting these
files. Sometimes they are deleted by users who aren't even in the
office and who's machines are shut down. The server has Norton
corporate 10.0.2 as do all workstations. The Norton logs show no
viruses detected on any machine on the network. We have virus scanned
all machines. We've had Microsoft analyze our ip and they found no
vulnerabilities (we have a SonicWall firewall). The company claims
their application runs no scripts that would do this, and the file
deletions sometimes occur in other directories that aren't related to
that software in addition to the main app. We have an incident going
with Microsoft on this. We've had their techs connect in and look at
our server and a couple workstations and they've found nothing unusual.
The deletions always start with the .com file for the application.
Sometimes that is the only file that gets deleted and sometimes it is
hundreds of files that get delted. They delete in alphabetical order
over a very short period of time directory by directory. We've put
filemon on the server, but we don't get much info from it. We put
filemon on all of the workstations, but that brought the network to a
grinding halt, so we had to remove it.

Any ideas on this for me?

Thanks,

Joe



.

Relevant Pages

  • RE: SBS 2003 Fax Server - Outgoing Routing
    ... faxes for different accounts on SBS server. ... for each fax to enable separate access depend on different accounts. ... SBS 2003 will only add One Fax queue to manage all ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: email accounts sbs2008
    ... windows standard 2003 r2 server in the SBS 2008 domain and a windows standard r2 server in the other domain can it be done then? ... No trusts with SBS, in any form, fashion or workaround. ... stop using pop accounts where Exchange is involved. ...
    (microsoft.public.windows.server.sbs)
  • Re: Is there a need for this?
    ... for a 5 machine network, the machines are underpowered and cluttered, ... is a mess doesn't mean you don't need SBS/AD and doesn't mean that SBS ... "The machines are underpowered" has nothing to do with SBS/AD. ... Do a backup and then update the server, ...
    (microsoft.public.windows.server.general)
  • Re: Exchange Server 6.5 pop relay
    ... I knew the problem I was solving was on the server as I had turned all other ... All my machines have Avast! ... anti virus sbs suite, plus Spybot, and Microsoft ... With the system having all the machines on the network I have been free from ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2008 as host for terminal server on 2008?
    ... SBS hasn't been a good choice as virtualisation host in the past for a few ... SBS08 reduces the number of functions performed by the SBS. ... it is still your main DC, still an Exchange Server, still ... performs backups on the client machines. ...
    (microsoft.public.windows.server.sbs)