Re: Has my DC been hacked?

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 03/25/05

  • Next message: Roger Abell: "Re: Authorization Manager (AzMan) and non-Windows users"
    Date: Thu, 24 Mar 2005 23:30:24 -0700
    
    

    >From what I am hearing I can see a picture that does show
    why you express these concerns.
    One might expect some corruptions if the files were being
    write touched while the disk IO subsystem was failing, but
    only if failing in a way that was not reflected to the operating
    system. NTFS is a journaling system, with rollback/rollforward
    capability, and the OS is designed to do a hard stop (blue screen)
    if the interrupt handlers cannot determine that recovery would be
    safe and would not lead to damage upon continuing. That these
    are so conservative makes it surprising there are not more hard
    stops experienced, but in your case, if the file issues are due to
    the disk IO subsystem failing it would have needed to have been
    below the OS. You might want to reverify the hardware health,
    that any raid hardware, motherboard firmware, etc. are at the
    best microcode release levels. Also, some IBM hard disk of
    a year plus ago were subject to recall for their internal firmware,
    that could in specific scenarios lead to corruption. Etc.

    Otherwise, the thing remains that it only makes sense if there was
    some process active at the time performing writes, but you do not
    seem to have the info/logs that helps get at that question.

    -- 
    Roger Abell
    <anonymous@discussions.microsoft.com> wrote in message
    news:0b6501c5306b$a532c910$a401280a@phx.gbl...
    > Yeah most of the filenames are fine, there are a few that
    > have been corrupted in filename or data, and some that
    > are 0kb. But most have the correct name.
    >
    > The times aren't offset though, there are a lot of files
    > that were last accessed at 17:30 ish (the time everyone
    > logs off and goes home). So that's correct. And my local
    > time zone is Greenwich Mean Time anyway.
    >
    > Good point about the post-backup verification - hadn't
    > considered that. But I'm pretty sure that it wasn't set
    > to do that, and even if it was that would have started at
    > about 10:30 so would be well finished by 3am.
    >
    > As for the availability, some files are on the main
    > network share area (accessible by everyone) and others
    > are on people's personal storage areas and should only be
    > accesisble by them or admins. Both have been accessed.
    > Although interestingly, not ALL have been accessed, and
    > some have been accessed the night before at the same sort
    > of time.
    >
    > In answer to Jeff's point, we use the ISA server as our
    > firewall and unfortunately all logs were lost with the C:
    > partition. However I did find a hardware log in the BIOS
    > of the computer which told me the server BSOD'd at
    > 03:25am due to the pagefile becoming corrupted (error
    > 0x77). Just before and after that event there were
    > hardware errors reported on two of the hard disks in the
    > RAID 5 array.
    >
    > I'm using the same disks now and there hasn't been a
    > problem since; maybe I should replace them?
    >
    >
    > >-----Original Message-----
    > >So again I will ask:  the files are as expected in name,
    > it is
    > >just a matter of the timestamp for last access ?
    > >If you consider those times as Greenwich universal and
    > >translate to your local time, does that bring it to
    > match the
    > >backup time?  Or, was there a post backup verification
    > job
    > >that kicked off later?
    > >
    > >It is pretty easy to have something very small that does
    > >much much work locally.  Accessing files does not mean
    > >pushing them down the network pipe.
    > >
    > >Did you mention whether these are on an available share,
    > >that is, accessible on you network (other than by use of
    > the
    > >administrative shares)?  Is there any ability to remote
    > desktop
    > >to other boxes on your network?
    > >
    > >-- 
    > >Roger Abell
    > >Microsoft MVP (Windows  Security)
    > >MCSE (W2k3,W2k,Nt4)  MCDBA
    > >"Adam Atkinson" <anonymous@discussions.microsoft.com>
    > wrote in message
    > >news:0b6001c52f99$0ba6cdf0$a601280a@phx.gbl...
    > >> Hi Roger, thanks for the reply.
    > >>
    > >> We didn't have a hotspare, and our AV was not set to do
    > >> an overnight scan, nor was the defrag. I can't think of
    > >> anything that would do this, but now I don't think it
    > was
    > >> necessarily a hacker simply because of the sheer
    > volumne
    > >> of data (it couldn't possibly all have gone through our
    > >> ADSL line over one or two nights). I guess it could
    > have
    > >> been some kind of virus scanning for certain words in
    > >> documents or whatever, or (and it's a long shot I know)
    > >> maybe the system clock went a bit mad?
    > >>
    > >>
    > >> >-----Original Message-----
    > >> >Usually if raid fails and you have a hot spare the
    > raid
    > >> will begin
    > >> >a rebuild.  Even then, or if it is without hotspare,
    > the
    > >> operations
    > >> >are below the horizon of the filesystem so timestamps
    > >> would not
    > >> >be affected.
    > >> >
    > >> >Are the files then of name not out of the ordinary ?
    > >> >
    > >> >If you have an antivirus scan scheduled these can
    > >> depending on
    > >> >the AV product and version cause timestamps, sometimes
    > >> even
    > >> >the last modified, to be updated.
    > >> >
    > >> >-- 
    > >> >Roger Abell
    > >> >Microsoft MVP (Windows  Security)
    > >> >MCSE (W2k3,W2k,Nt4)  MCDBA
    > >> >"Adam Atkinson" <anonymous@discussions.microsoft.com>
    > >> wrote in message
    > >> >news:099d01c52f4c$0d68d040$a601280a@phx.gbl...
    > >> >> hi, wonder if anyone can give me some advice. I came
    > >> into
    > >> >> work last week to find our company's domain
    > controller
    > >> >> (SBS 2000) had apparently crashed overnight. the
    > screen
    > >> >> was black apart from a message that said that two
    > SCSI
    > >> >> disks in the RAID 5 array (3 36GB disks) had failed
    > but
    > >> >> had become operational again. Windows would not boot
    > >> and
    > >> >> it soon became apparent that the C: partition was
    > badly
    > >> >> corrupted and needed re-formating. I put this down
    > to a
    > >> >> power spike upetting two drives, re-installed and
    > >> >> eventually we are back running again. However a data
    > >> >> partition survived the crash (more or less) and I
    > was
    > >> >> looking through the files yesterday; there are
    > loads of
    > >> >> files that appear to have been 'last accessed'
    > between
    > >> >> 12am and 4am on the night of the crash, and others
    > with
    > >> >> similar times but the previous night. And i mean
    > >> thousands
    > >> >> of files, as if someone had tried to copy everything
    > >> off
    > >> >> our server. Backup finishes around 10:30pm so it's
    > not
    > >> >> that. We don't have remote access and the building
    > was
    > >> >> empty at the time (I even checked the CCTV). If a
    > drive
    > >> >> failed and the RAID card detected this, would it
    > have
    > >> any
    > >> >> reason to start accessing files? Is there anything
    > else
    > >> >> that may start accessing files? Could the timestamps
    > >> have
    > >> >> become corrupted? Could WIndows have been doing
    > >> something
    > >> >> as a response to detecting corruption?
    > >> >>
    > >> >> I guess what I'm wondering is, have I been hacked?
    > Or
    > >> is
    > >> >> there another explanation?
    > >> >>
    > >> >> Cheers
    > >> >>
    > >> >> Adam
    > >> >>
    > >> >>
    > >> >
    > >> >
    > >> >.
    > >> >
    > >
    > >
    > >.
    > >
    

  • Next message: Roger Abell: "Re: Authorization Manager (AzMan) and non-Windows users"