Solved

Deleted Shortcuts, SYSVOL, and files inside of directories on C: - No clues.

Posted on 2006-10-24
2
349 Views
Last Modified: 2006-11-18
Recently we experienced an outage, the SYSVOL was deleted or moved by whom or how we do not know. When this happened the SYSVOL
replicated to all of our 20+ DC's at our remote branches. We were forced to perform authoritative restores to the servers to get everything back up.

At now three of our remote sites, It appears that some script or app walked the C: drive and rm'd all of the files inside of directories. In two cases, the
servers were very messed up and reloads were performed. On one server, the deletion of files seemed to stop after the "Documents and Settings" directories, so
no user profiles have shortcuts, administrative tools, etc. on this system.

We have checked everything we can think of, We've ran HiJackThis, Spybot, and many other malware and spyware tools in an effort to find something, We copied all
of the event logs from the "compramised" systems using forensics tools. and re-reviewed the event logs as well.

We have aroud 20 WIndows Server 2003 Sp1 DC's, all of them on Dell PowerEdge 1800 class hardware, and one remaining Windows 2000 Sp4 DC(we are working on demoting this)

The "missing files on C:\" happened to only 3 Windows 2003 Sp1 DC's at remote branches, no other servers experienced this issues. The missing SYSVOL issue affected
all DC's of course when it happened.

We do not believe any administrative accounts were compramised.

My Questions are:

1. Does this make sense to anyone? Has anyone seen this or know how I could determine what caused this random file deletions on these three DC's?
2. We know what files were removed on the 3DC's can we watch these files on the remaining DC's and alert if they are removed somehow?(how?)
3. Is there a way to watch the SYSVOL and be alerted if any specific files/folders are Deleted?

Thanks so much in advance.
0
Comment
Question by:shaaad
  • 2
2 Comments
 
LVL 26

Expert Comment

by:Pber
ID: 17799146
The sysvol is a junction point.  If you create a shortcut to it then delete the shortcut, it will delete the sysvol.  Nice hey?
http://www.mcse.ms/archive173-2004-7-842431.html


See this for the future is you haven't already:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B315457

0
 
LVL 26

Accepted Solution

by:
Pber earned 500 total points
ID: 17799169
See this as well, since you still have one 2000 DC:
http://support.microsoft.com/default.aspx/kb/324308

As far as monitoring the files, you can see this:
http://www.microsoft.com/technet/scriptcenter/guide/sas_fil_impx.mspx?mfr=true
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question