We help IT Professionals succeed at work.

Deleted Shortcuts, SYSVOL, and files inside of directories on C: - No clues.

shaaad
shaaad asked
on
Medium Priority
374 Views
Last Modified: 2006-11-18
Recently we experienced an outage, the SYSVOL was deleted or moved by whom or how we do not know. When this happened the SYSVOL
replicated to all of our 20+ DC's at our remote branches. We were forced to perform authoritative restores to the servers to get everything back up.

At now three of our remote sites, It appears that some script or app walked the C: drive and rm'd all of the files inside of directories. In two cases, the
servers were very messed up and reloads were performed. On one server, the deletion of files seemed to stop after the "Documents and Settings" directories, so
no user profiles have shortcuts, administrative tools, etc. on this system.

We have checked everything we can think of, We've ran HiJackThis, Spybot, and many other malware and spyware tools in an effort to find something, We copied all
of the event logs from the "compramised" systems using forensics tools. and re-reviewed the event logs as well.

We have aroud 20 WIndows Server 2003 Sp1 DC's, all of them on Dell PowerEdge 1800 class hardware, and one remaining Windows 2000 Sp4 DC(we are working on demoting this)

The "missing files on C:\" happened to only 3 Windows 2003 Sp1 DC's at remote branches, no other servers experienced this issues. The missing SYSVOL issue affected
all DC's of course when it happened.

We do not believe any administrative accounts were compramised.

My Questions are:

1. Does this make sense to anyone? Has anyone seen this or know how I could determine what caused this random file deletions on these three DC's?
2. We know what files were removed on the 3DC's can we watch these files on the remaining DC's and alert if they are removed somehow?(how?)
3. Is there a way to watch the SYSVOL and be alerted if any specific files/folders are Deleted?

Thanks so much in advance.
Comment
Watch Question

PberSolutions Architect
CERTIFIED EXPERT

Commented:
The sysvol is a junction point.  If you create a shortcut to it then delete the shortcut, it will delete the sysvol.  Nice hey?
http://www.mcse.ms/archive173-2004-7-842431.html


See this for the future is you haven't already:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B315457

Solutions Architect
CERTIFIED EXPERT
Commented:
See this as well, since you still have one 2000 DC:
http://support.microsoft.com/default.aspx/kb/324308

As far as monitoring the files, you can see this:
http://www.microsoft.com/technet/scriptcenter/guide/sas_fil_impx.mspx?mfr=true

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.