Solved

Malware on server

Posted on 2013-01-27
9
189 Views
Last Modified: 2013-06-01
Hi,

i have a client running on Windows Server 2008 R2. 20 users are using RDP to work on this server.

Those users are only power users and there is one admin in the system.

Now since a week they have complaints about a malware on the server. Everytime i scan the system i keep cleaning malwares.

2 Questions...

1. how is it possible that a power user is able to do something so that a malware is installed on the server. What do i wrong and how can i prevent this?

2. the malware seems to hide always in the SoftwareDistrubution folder. Can i simply delete this folder and let the system create a new one? Or does this impact the server operation?

thanks!
0
Comment
Question by:Rik Van Lier
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 24

Expert Comment

by:smckeown777
ID: 38824784
Few questions...

1) What AV is installed on the server?
2) Why are users Power Users? No need for this on a server, in fact an RDP server should be 'locked down' normally to prevent these type of things happening..
3) No you can't delete that folder, its a system folder and is required by windows

To start this properly you need to fix the permissions first, yes power users can do more than standard users so you need to determine why that level of access is needed
0
 
LVL 53

Expert Comment

by:McKnife
ID: 38824831
Hi.

Let me clear up some facts first:
-power users: non-existent in 2008 server. The group is there by name, yes, for compatibility reasons, but adding users to that group does not add any privileges.
-software distribution folder: can be deleted without disrupting windows, yes, but this will not solve your problem.

Given the fact that that folder "software distrib." cannot be written into by normal users, clearly tells us that the virus is already using administrator or system rights. Your system cannot be trusted anymore. If you are no expert at this matter and I am afraid, this seems obvious, you should not try to clean but save your data and reinstall that server or resort to an image backup with a known clean state.
0
 
LVL 1

Author Comment

by:Rik Van Lier
ID: 38824851
i am more then technical enough to solve this problem, i just earned this job from another provider. My customer does not want to work anymore with them and askes me to solve this.

I have no option to reinstall this server. Also let me be clear that the server does not have any other problems. Once a day there is a notice from the Antivirus that a malware has been found and deleted.

To answer the other question. The server is running on Microsoft Security Essentials.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38824959
Ok, this will require a bit of work...

I assume its MSE that is detecting the malware? So it can remove it as well?

Is UAC enabled on the server at least? Working from @McKnife's comment about Power Users being irrelevant(which I didn't know apologies) we still need to determine what/how the infection is taking place if the users are just standard accounts...

I've never used MSE on a server before so not sure if its up to the job, but if MSE is cleaning the server and its getting re-infected again and again then remove the Admin users from using the server completely as a start, that way you can then see if the standard accounts are still letting the infection happen...if not then you might be out of jail, but in reality cleaning this machine could take you a LOT of time, whereas a wipe and reinstall may be the more recommended solution and also allow you to properly 'lockdown' the server using proper GPO's etc...
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 76

Expert Comment

by:arnold
ID: 38825419
See whether the notice of found item deals with a shadow copy (system volume) or whether the captured item is in a specific users's path?
The malware might be part f a single user profile or an add-on with IE.

Hardto say which.
0
 
LVL 1

Author Comment

by:Rik Van Lier
ID: 38857262
ok, i went to see the customer and server today. What i did find our was that there is no special GPO or lockdown policy running this machine.

also was the UAC complete off. I did turned this back on today.

Since then they got almost no malware errors anymore. maybe once a day.

Also it seems that the malware is in the shadow copy or the software distribution folder.

what do you advice?
0
 
LVL 76

Expert Comment

by:arnold
ID: 38857483
The issue is how much time do you have and how long does the client have if the system was taken offline, or can it be rebuilt without loosing existing functionality?
0
 
LVL 1

Author Comment

by:Rik Van Lier
ID: 38858393
time is no issue and if system needs to be offline for cleaning. the system is only needed during business hours. so weekends the system is free of use.
0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
ID: 38858893
The dilemma is that there are two.
Some are of the view that once a system is infected, a complete reinstall is what is required to avoid a possibility of having even a remnant remain that is compromising the system because no testing is fully complete. i.e. there might be a nook and cranny that might be overlooked
The other is depending on the severity/type of the compromise and your confidence as to what impact if a remnant remains might it have on the system/environment.
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now