[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 296
  • Last Modified:

Suspected Malicious Attach on Windows SBS2003

Hi there,

I am having a major problem with a Dell Poweredge 2950.

This morning I was called out because 'no-one could log on to the server' at a client's office.

I tried logging in remotely and the administrator password did not work.

Logging on locally with the administrator password also failed.

I then restarted and went into directory restore mode, and reset the AD administrator password using the guide at http://www.nobodix.org/seb/win2003_adminpass.html.

After gaining access to the server, I logged on and the D drive was missing, all user accounts bar Administrator and a printer account are missing.

I checked the disk manager, and D drive was showing an unallocated disk, so I restored the partition using http://www.cgsecurity.org/wiki/TestDisk

The partition is now back, although the data that was in the 'network share' folder (main working folder for staff) is GONE!!!

There are also no network shares set up either

Things like the POP retrieval accounts are still there but obviously no exchange mailboxes.

I then restarted the machine, and noticed that the RAID array was degraded, so I set it to rebuild which it is currently doing......

Do you think this is a malicious attack of some kind? Or some sort of bug/disk error

I have a full backup that was last run (and seemed to fail) on Christmas Day... and 6 days of backups before then, but no installation media handy

Thanks in advance
0
itGenius
Asked:
itGenius
  • 3
1 Solution
 
DavidCommented:
Looks to me like a pure hardware issue.  My guess is that your client never bothered to run the obligatory RAID consistency checks, so after the drive failed, you had some unrecoverable read errors on the surviving disk, so vital programs could not read files.  

Doubtful a virus would degrade a RAID, unless it was designed to do such that.

Look at the RAID controller's event logs to get an idea of what is going on.  Moving forward ..
1) Assess controller's event log and see if any hardware needs to be replaced (i.e. disk drives)
2) do full recovery (sorry, had client left things alone and looked at RAID logs first, then perhaps it could have been fixed).
3) Teach client best practices for RAID maintenance (frequent rebuilds, setting up a "phone home" or alert mechanism if RAID dies, purchase a hot spare for automated rebuilds in event of another failure

0
 
itGeniusAuthor Commented:
Thanks for your reply, I am currently restoring system files and state from backup, can''t find where the RAID logs are on this Dell.

Anyone got any idea how to pull up RAID logs on a Poweredge 2950?
0
 
DavidCommented:
what controller, they have several.  They also have a windows-based utility designed to run in background, along with their openmanage stuff that sends out SNMP alerts.  If you didn't have it running before all of this happened, then forget it.

0
 
DavidCommented:
No matter what, their should be a BIOS program you can run that will look at the RAID and tell you drive health. This is by no means a diagnostic, it is more of a what-is-condition-of-raid-and-all-disks-at-this-very-moment thing.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now