Solved

Deleted Shortcuts, SYSVOL, and files inside of directories on C: - No clues.

Posted on 2006-10-24
2
350 Views
Last Modified: 2006-11-18
Recently we experienced an outage, the SYSVOL was deleted or moved by whom or how we do not know. When this happened the SYSVOL
replicated to all of our 20+ DC's at our remote branches. We were forced to perform authoritative restores to the servers to get everything back up.

At now three of our remote sites, It appears that some script or app walked the C: drive and rm'd all of the files inside of directories. In two cases, the
servers were very messed up and reloads were performed. On one server, the deletion of files seemed to stop after the "Documents and Settings" directories, so
no user profiles have shortcuts, administrative tools, etc. on this system.

We have checked everything we can think of, We've ran HiJackThis, Spybot, and many other malware and spyware tools in an effort to find something, We copied all
of the event logs from the "compramised" systems using forensics tools. and re-reviewed the event logs as well.

We have aroud 20 WIndows Server 2003 Sp1 DC's, all of them on Dell PowerEdge 1800 class hardware, and one remaining Windows 2000 Sp4 DC(we are working on demoting this)

The "missing files on C:\" happened to only 3 Windows 2003 Sp1 DC's at remote branches, no other servers experienced this issues. The missing SYSVOL issue affected
all DC's of course when it happened.

We do not believe any administrative accounts were compramised.

My Questions are:

1. Does this make sense to anyone? Has anyone seen this or know how I could determine what caused this random file deletions on these three DC's?
2. We know what files were removed on the 3DC's can we watch these files on the remaining DC's and alert if they are removed somehow?(how?)
3. Is there a way to watch the SYSVOL and be alerted if any specific files/folders are Deleted?

Thanks so much in advance.
0
Comment
Question by:shaaad
  • 2
2 Comments
 
LVL 26

Expert Comment

by:Pber
ID: 17799146
The sysvol is a junction point.  If you create a shortcut to it then delete the shortcut, it will delete the sysvol.  Nice hey?
http://www.mcse.ms/archive173-2004-7-842431.html


See this for the future is you haven't already:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B315457

0
 
LVL 26

Accepted Solution

by:
Pber earned 500 total points
ID: 17799169
See this as well, since you still have one 2000 DC:
http://support.microsoft.com/default.aspx/kb/324308

As far as monitoring the files, you can see this:
http://www.microsoft.com/technet/scriptcenter/guide/sas_fil_impx.mspx?mfr=true
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Learn about cloud computing and its benefits for small business owners.
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question