• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 448
  • Last Modified:

SBS 2008 public share drive folder spawning

Hello Experts,

Yesterday I noticed the our shared "public" drive has beed automatically spawning 2 character folder names with a long hexadecimal file inside.

I can delete some of them, but several are read only.
After i delete the ones i can they will respawn on there own.

My guess is a virus but nothing is detected.

Thanks in advance,
0
Micarta46
Asked:
Micarta46
1 Solution
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Could be some Virus or something .. hope the AV is set and did someone try to remove and readd or who else does manage the server ?

- Rancy
0
 
btanExec ConsultantCommented:
You can check out this
http://pcworld.about.net/magazine/2307p164id120795.htm

can use process explorer to see which process  (and eventually application) is creating or owning that folder and trace back. if it is some svchost and windows services then this highly suspicious and probably already on it mode of propagating itself (extract) or siphoning data (central repository) .

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
http://windowsxp.mvps.org/processlock.htm

 Another is to check for any unknown listening ports and trace back to process and if they are same of refer to same appl then something is really suspicious

http://searchmidmarketsecurity.techtarget.com/tip/Using-NetStat-commands-and-Microsoft-Port-Reporter-tool-to-find-network-connections
http://searchsecuritychannel.techtarget.com/tip/Use-Netstat-to-determine-which-ports-to-open-on-a-Windows-firewall

just a few cents
0
 
Cris HannaCommented:
What are you using to detect virus/malware on the server?

The truth is that most likely the server is compromised at a low level and probably needs to be flattened and reinstalled...that's the only true way to know that you got it.

Put the data on a portable drive that you can scan with Malwarebytes or SuperAntiSpyware (or both)   Once you know it's clean, you can copy back to the newly installed server
0
 
Micarta46Author Commented:
This gave me something to think about. It ended up being my current AV solutions definitions were out of date. A new AV scan caught & cleared the issue.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now