0

Possible Duplicate:
Reinstall after a Root Compromise?

One of our servers was compromised after a user with administrative privileges accidentally loaded a virus from a USB drive on a desktop connected to the domain. The two most obvious symptoms of this were:

  • The server is no longer responding to login attempts
  • The root directory of the drive containing user data has been filled with randomly named empty folders. (Initially it was around a million folders, I've been slowly deleting them.)

I've run several virus scans from different vendors and am fairly confident the virus has been removed but the damage is done.

I'm hoping the two symptoms are related and that once the directories are gone the server will start responding again. The drive is very slow to respond. I'm deleting about 20k folders at a time. Anymore than that and windows explorer becomes unresponsive.

In the event that I finish cleaning up the HD and things don't return to normal what other things can I check?

Community
  • 1
Kenneth Cochran
  • 195
  • 5
  • 1
    http://serverfault.com/questions/6190/reinstall-after-a-root-compromise http://serverfault.com/questions/218005/my-servers-been-hacked-emergency – Zoredache Jan 14 '11 at 14:32
  • Is this a domain server, aka member, or a domain controller? – DanBig Jan 14 '11 at 15:20
  • @Dan It is *the* domain controller. Its also a gateway, file server, application server... pretty much all the eggs in one basket... everything except email. My predecessor moved email to a new server when this server started getting overburdened by the load. – Kenneth Cochran Jan 14 '11 at 17:49
  • Oh my, without proper backups, I hope you have a bottle of whiskey ready. – DanBig Jan 14 '11 at 17:52
  • Told ya they didn't follow best practices. – Kenneth Cochran Jan 14 '11 at 17:57

1 Answers1

5

I hate to be blunt, but save yourself a TON of pain. If you continue down this path, you will be picking out remnants of the compromise for years to come. Since this is a server, you shouldn't be doing any cleaning at all. Clone the drives and set them aside for analysis later. Wipe the server, restore from backups.

DanBig
  • 11,393
  • 1
  • 28
  • 53
  • You assume we are following industry best practices. This is a small non-profit that I only work for part time (putting out fires like this one). They are resistant to spending money. This includes paying for fault tolerance, backup media and adequate virus protection. The majority of the network is made of donated equipment. – Kenneth Cochran Jan 14 '11 at 14:32
  • 5
    You still should be able to backup the drives now, reinstall, and restore cleaned data. – Zoredache Jan 14 '11 at 14:37
  • 5
    @serversurfer: It sounds like the network is also made out of your donated *time*. Following best practices [even if done very inexpensively] will save *you* in time, anguish, frustration, etc. – jscott Jan 14 '11 at 14:49
  • In principle I agree this is the best solution. Convincing those that pay the bills will be another matter. – Kenneth Cochran Jan 14 '11 at 14:59
  • @serversurfer, this is your job, to know the correct action and to know how to explain it to non-tech managers. If they refuse to follow those, all you can do is CYA for when the excrement hits the air velocity accelerator. – Chris S Jan 14 '11 at 15:09
  • shortcuts on stuff like this don't save money, they just seem like they will do. Let them learn that lesson now rather than make the same mistake over and over – JamesRyan Jan 14 '11 at 15:58
  • @JamesRyam They haven't learned anything yet. IT isn't the only area they've been burned by taking shortcuts. – Kenneth Cochran Jan 14 '11 at 17:53
  • 1
    another bad thing is that every object that was/is domain joined has more then likely been infected. – tony roth Jan 14 '11 at 18:38