[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Deleted Shortcuts, SYSVOL, and files inside of directories on C: - No clues.

Posted on 2006-10-24
2
Medium Priority
?
360 Views
Last Modified: 2006-11-18
Recently we experienced an outage, the SYSVOL was deleted or moved by whom or how we do not know. When this happened the SYSVOL
replicated to all of our 20+ DC's at our remote branches. We were forced to perform authoritative restores to the servers to get everything back up.

At now three of our remote sites, It appears that some script or app walked the C: drive and rm'd all of the files inside of directories. In two cases, the
servers were very messed up and reloads were performed. On one server, the deletion of files seemed to stop after the "Documents and Settings" directories, so
no user profiles have shortcuts, administrative tools, etc. on this system.

We have checked everything we can think of, We've ran HiJackThis, Spybot, and many other malware and spyware tools in an effort to find something, We copied all
of the event logs from the "compramised" systems using forensics tools. and re-reviewed the event logs as well.

We have aroud 20 WIndows Server 2003 Sp1 DC's, all of them on Dell PowerEdge 1800 class hardware, and one remaining Windows 2000 Sp4 DC(we are working on demoting this)

The "missing files on C:\" happened to only 3 Windows 2003 Sp1 DC's at remote branches, no other servers experienced this issues. The missing SYSVOL issue affected
all DC's of course when it happened.

We do not believe any administrative accounts were compramised.

My Questions are:

1. Does this make sense to anyone? Has anyone seen this or know how I could determine what caused this random file deletions on these three DC's?
2. We know what files were removed on the 3DC's can we watch these files on the remaining DC's and alert if they are removed somehow?(how?)
3. Is there a way to watch the SYSVOL and be alerted if any specific files/folders are Deleted?

Thanks so much in advance.
0
Comment
Question by:shaaad
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
2 Comments
 
LVL 26

Expert Comment

by:Pber
ID: 17799146
The sysvol is a junction point.  If you create a shortcut to it then delete the shortcut, it will delete the sysvol.  Nice hey?
http://www.mcse.ms/archive173-2004-7-842431.html


See this for the future is you haven't already:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B315457

0
 
LVL 26

Accepted Solution

by:
Pber earned 1500 total points
ID: 17799169
See this as well, since you still have one 2000 DC:
http://support.microsoft.com/default.aspx/kb/324308

As far as monitoring the files, you can see this:
http://www.microsoft.com/technet/scriptcenter/guide/sas_fil_impx.mspx?mfr=true
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question