Solved

Malware on server

Posted on 2013-01-27
9
191 Views
Last Modified: 2013-06-01
Hi,

i have a client running on Windows Server 2008 R2. 20 users are using RDP to work on this server.

Those users are only power users and there is one admin in the system.

Now since a week they have complaints about a malware on the server. Everytime i scan the system i keep cleaning malwares.

2 Questions...

1. how is it possible that a power user is able to do something so that a malware is installed on the server. What do i wrong and how can i prevent this?

2. the malware seems to hide always in the SoftwareDistrubution folder. Can i simply delete this folder and let the system create a new one? Or does this impact the server operation?

thanks!
0
Comment
Question by:Rik Van Lier
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 24

Expert Comment

by:smckeown777
ID: 38824784
Few questions...

1) What AV is installed on the server?
2) Why are users Power Users? No need for this on a server, in fact an RDP server should be 'locked down' normally to prevent these type of things happening..
3) No you can't delete that folder, its a system folder and is required by windows

To start this properly you need to fix the permissions first, yes power users can do more than standard users so you need to determine why that level of access is needed
0
 
LVL 53

Expert Comment

by:McKnife
ID: 38824831
Hi.

Let me clear up some facts first:
-power users: non-existent in 2008 server. The group is there by name, yes, for compatibility reasons, but adding users to that group does not add any privileges.
-software distribution folder: can be deleted without disrupting windows, yes, but this will not solve your problem.

Given the fact that that folder "software distrib." cannot be written into by normal users, clearly tells us that the virus is already using administrator or system rights. Your system cannot be trusted anymore. If you are no expert at this matter and I am afraid, this seems obvious, you should not try to clean but save your data and reinstall that server or resort to an image backup with a known clean state.
0
 
LVL 1

Author Comment

by:Rik Van Lier
ID: 38824851
i am more then technical enough to solve this problem, i just earned this job from another provider. My customer does not want to work anymore with them and askes me to solve this.

I have no option to reinstall this server. Also let me be clear that the server does not have any other problems. Once a day there is a notice from the Antivirus that a malware has been found and deleted.

To answer the other question. The server is running on Microsoft Security Essentials.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38824959
Ok, this will require a bit of work...

I assume its MSE that is detecting the malware? So it can remove it as well?

Is UAC enabled on the server at least? Working from @McKnife's comment about Power Users being irrelevant(which I didn't know apologies) we still need to determine what/how the infection is taking place if the users are just standard accounts...

I've never used MSE on a server before so not sure if its up to the job, but if MSE is cleaning the server and its getting re-infected again and again then remove the Admin users from using the server completely as a start, that way you can then see if the standard accounts are still letting the infection happen...if not then you might be out of jail, but in reality cleaning this machine could take you a LOT of time, whereas a wipe and reinstall may be the more recommended solution and also allow you to properly 'lockdown' the server using proper GPO's etc...
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 77

Expert Comment

by:arnold
ID: 38825419
See whether the notice of found item deals with a shadow copy (system volume) or whether the captured item is in a specific users's path?
The malware might be part f a single user profile or an add-on with IE.

Hardto say which.
0
 
LVL 1

Author Comment

by:Rik Van Lier
ID: 38857262
ok, i went to see the customer and server today. What i did find our was that there is no special GPO or lockdown policy running this machine.

also was the UAC complete off. I did turned this back on today.

Since then they got almost no malware errors anymore. maybe once a day.

Also it seems that the malware is in the shadow copy or the software distribution folder.

what do you advice?
0
 
LVL 77

Expert Comment

by:arnold
ID: 38857483
The issue is how much time do you have and how long does the client have if the system was taken offline, or can it be rebuilt without loosing existing functionality?
0
 
LVL 1

Author Comment

by:Rik Van Lier
ID: 38858393
time is no issue and if system needs to be offline for cleaning. the system is only needed during business hours. so weekends the system is free of use.
0
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 38858893
The dilemma is that there are two.
Some are of the view that once a system is infected, a complete reinstall is what is required to avoid a possibility of having even a remnant remain that is compromising the system because no testing is fully complete. i.e. there might be a nook and cranny that might be overlooked
The other is depending on the severity/type of the compromise and your confidence as to what impact if a remnant remains might it have on the system/environment.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now