Malware on server

Posted on 2013-01-27
Last Modified: 2013-06-01

i have a client running on Windows Server 2008 R2. 20 users are using RDP to work on this server.

Those users are only power users and there is one admin in the system.

Now since a week they have complaints about a malware on the server. Everytime i scan the system i keep cleaning malwares.

2 Questions...

1. how is it possible that a power user is able to do something so that a malware is installed on the server. What do i wrong and how can i prevent this?

2. the malware seems to hide always in the SoftwareDistrubution folder. Can i simply delete this folder and let the system create a new one? Or does this impact the server operation?

Question by:Rik Van Lier
  • 3
  • 3
  • 2
  • +1
LVL 24

Expert Comment

ID: 38824784
Few questions...

1) What AV is installed on the server?
2) Why are users Power Users? No need for this on a server, in fact an RDP server should be 'locked down' normally to prevent these type of things happening..
3) No you can't delete that folder, its a system folder and is required by windows

To start this properly you need to fix the permissions first, yes power users can do more than standard users so you need to determine why that level of access is needed
LVL 54

Expert Comment

ID: 38824831

Let me clear up some facts first:
-power users: non-existent in 2008 server. The group is there by name, yes, for compatibility reasons, but adding users to that group does not add any privileges.
-software distribution folder: can be deleted without disrupting windows, yes, but this will not solve your problem.

Given the fact that that folder "software distrib." cannot be written into by normal users, clearly tells us that the virus is already using administrator or system rights. Your system cannot be trusted anymore. If you are no expert at this matter and I am afraid, this seems obvious, you should not try to clean but save your data and reinstall that server or resort to an image backup with a known clean state.

Author Comment

by:Rik Van Lier
ID: 38824851
i am more then technical enough to solve this problem, i just earned this job from another provider. My customer does not want to work anymore with them and askes me to solve this.

I have no option to reinstall this server. Also let me be clear that the server does not have any other problems. Once a day there is a notice from the Antivirus that a malware has been found and deleted.

To answer the other question. The server is running on Microsoft Security Essentials.
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

LVL 24

Expert Comment

ID: 38824959
Ok, this will require a bit of work...

I assume its MSE that is detecting the malware? So it can remove it as well?

Is UAC enabled on the server at least? Working from @McKnife's comment about Power Users being irrelevant(which I didn't know apologies) we still need to determine what/how the infection is taking place if the users are just standard accounts...

I've never used MSE on a server before so not sure if its up to the job, but if MSE is cleaning the server and its getting re-infected again and again then remove the Admin users from using the server completely as a start, that way you can then see if the standard accounts are still letting the infection happen...if not then you might be out of jail, but in reality cleaning this machine could take you a LOT of time, whereas a wipe and reinstall may be the more recommended solution and also allow you to properly 'lockdown' the server using proper GPO's etc...
LVL 77

Expert Comment

ID: 38825419
See whether the notice of found item deals with a shadow copy (system volume) or whether the captured item is in a specific users's path?
The malware might be part f a single user profile or an add-on with IE.

Hardto say which.

Author Comment

by:Rik Van Lier
ID: 38857262
ok, i went to see the customer and server today. What i did find our was that there is no special GPO or lockdown policy running this machine.

also was the UAC complete off. I did turned this back on today.

Since then they got almost no malware errors anymore. maybe once a day.

Also it seems that the malware is in the shadow copy or the software distribution folder.

what do you advice?
LVL 77

Expert Comment

ID: 38857483
The issue is how much time do you have and how long does the client have if the system was taken offline, or can it be rebuilt without loosing existing functionality?

Author Comment

by:Rik Van Lier
ID: 38858393
time is no issue and if system needs to be offline for cleaning. the system is only needed during business hours. so weekends the system is free of use.
LVL 77

Accepted Solution

arnold earned 500 total points
ID: 38858893
The dilemma is that there are two.
Some are of the view that once a system is infected, a complete reinstall is what is required to avoid a possibility of having even a remnant remain that is compromising the system because no testing is fully complete. i.e. there might be a nook and cranny that might be overlooked
The other is depending on the severity/type of the compromise and your confidence as to what impact if a remnant remains might it have on the system/environment.

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
windows 10 versions 3 63
GPO not showing IE10 in GP Preferences 14 71
Scan Mac for security breach? 5 42
Robocopy parameters. 6 7
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question