Need help with a virus situation

bankadmin
bankadmin used Ask the Experts™
on
One of the companies I do work for has a sister company that recently had a virus problem.
This is what I know and its all second hand knowledge. What there being told by there tech support is they were infected with some "steam" games on there network (8 PC's and a server) they had there modem fail and after they did some research and found that someone had accessed three old user profiles on the server (apparently novel user accounts which they no longer used) and using those user account there were downloading so much data from the server it crashed the modem. Again this what I was told not what I saw for myself. My question is how can I tell what data was downloaded off the server using those accounts that were compromised. 2003 server
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
There is a program WINDIRSTAT that will search all drives on a PC and sort by the largest files/folders.  It will show you which folders those are in (including users folders). Then you can look at the dates and see when they were downloaded.  This program has helped me out in these kind of situations
RojoshoRTCC-III Level-2 Support
Commented:
Hello Bankadmin,

Thought I would jump in and add a few comments.  

Hunter44102 makes a very good suggestion on how to identify if a file has been 'touched' (Meaning either open, archived, edited, changed, etc).  I am sorry to say, unless you already have an application that monitors 'where' a file goes, it is going to be very difficult to determine which files were sent via your modem connection or sent anywhere else.  So, your first course of action would be to determine if these systems do in fact have some sort of file monitoring applications already running.

More germane to your situation, it is imperative that the IT folks determine the type and name of the virus that hit these systems – knowing this will help the IT Folks manage the damage, plug any security holes and assist in the damage assessment.

As this sounds like a medium to large company, I am sure that the IT department has a corporate standard for their Anti-Virus (AV) protection.  If this is the case, then the AV vendor will have a Tech Support service which can help you ID the Virus and its MO on what it does – This will be key.  They MAY even have a tool that can assist you determining which files touched or what the normal 'target files' for this virus are.  In any event, getting the AV vendor involved as early as possible is key.

Good Hunting,

Rojosho
Technical Designer
Commented:
"steam" games on there network

Well to my knowlegde there are many famous games which are based on "Steam" and are very popular among the gamers for multiplaying, and also in gaming competitions.

The most popular games which are played on Steam Servers are "Counter-Strike, BioShock, Call of Duty 4: Modern Warfare, Half-Life 2 etc."

Like many steam games, steam servers are also there so that various users could join the servers to play the games with others over the network.

I believe someone has used your servers to host the "Steam servers" and we have experience of very high bandwidth utilization of gaming servers in one of our Data Center.

I am sure that same has happened in your case, due to which the modem failed.

Like many pirated games which are available to download, there are also pirated Gaming Servers software, so legally they are not using anything legal. And since for hosting any gaming server you would not need to get registered with some company you might not be able to catch them.

All I would suggest you to find the server and stop the application related to steam gaming on them and once you investigation finishes, you may remove the content.

further to block the gaming you might need to block UDP traffic to port 27000 and above on your firewall/gateway or modem.

Author

Commented:
Thank you for all of your feedback
RojoshoRTCC-III Level-2 Support

Commented:
Hello Bankadmin,

Thank you and best of luck... look foward to working with you in the future.

Rojosho

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial