Suspected Malicious Attach on Windows SBS2003

Posted on 2009-12-28
Last Modified: 2012-05-08
Hi there,

I am having a major problem with a Dell Poweredge 2950.

This morning I was called out because 'no-one could log on to the server' at a client's office.

I tried logging in remotely and the administrator password did not work.

Logging on locally with the administrator password also failed.

I then restarted and went into directory restore mode, and reset the AD administrator password using the guide at

After gaining access to the server, I logged on and the D drive was missing, all user accounts bar Administrator and a printer account are missing.

I checked the disk manager, and D drive was showing an unallocated disk, so I restored the partition using

The partition is now back, although the data that was in the 'network share' folder (main working folder for staff) is GONE!!!

There are also no network shares set up either

Things like the POP retrieval accounts are still there but obviously no exchange mailboxes.

I then restarted the machine, and noticed that the RAID array was degraded, so I set it to rebuild which it is currently doing......

Do you think this is a malicious attack of some kind? Or some sort of bug/disk error

I have a full backup that was last run (and seemed to fail) on Christmas Day... and 6 days of backups before then, but no installation media handy

Thanks in advance
Question by:itGenius
    LVL 46

    Accepted Solution

    Looks to me like a pure hardware issue.  My guess is that your client never bothered to run the obligatory RAID consistency checks, so after the drive failed, you had some unrecoverable read errors on the surviving disk, so vital programs could not read files.  

    Doubtful a virus would degrade a RAID, unless it was designed to do such that.

    Look at the RAID controller's event logs to get an idea of what is going on.  Moving forward ..
    1) Assess controller's event log and see if any hardware needs to be replaced (i.e. disk drives)
    2) do full recovery (sorry, had client left things alone and looked at RAID logs first, then perhaps it could have been fixed).
    3) Teach client best practices for RAID maintenance (frequent rebuilds, setting up a "phone home" or alert mechanism if RAID dies, purchase a hot spare for automated rebuilds in event of another failure

    LVL 1

    Author Comment

    Thanks for your reply, I am currently restoring system files and state from backup, can''t find where the RAID logs are on this Dell.

    Anyone got any idea how to pull up RAID logs on a Poweredge 2950?
    LVL 46

    Expert Comment

    what controller, they have several.  They also have a windows-based utility designed to run in background, along with their openmanage stuff that sends out SNMP alerts.  If you didn't have it running before all of this happened, then forget it.

    LVL 46

    Expert Comment

    No matter what, their should be a BIOS program you can run that will look at the RAID and tell you drive health. This is by no means a diagnostic, it is more of a what-is-condition-of-raid-and-all-disks-at-this-very-moment thing.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    I've often see, or have been asked, the question about the difference between the Exchange 2010 SP1 version, available as part of Small Business Server (SBS) 2011, and the “normal” Exchange 2010 SP1 Standard. The answer to the question is relativ…
    Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
    This video discusses moving either the default database or any database to a new volume.
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now