Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Malware on server

Posted on 2013-01-27
Medium Priority
Last Modified: 2013-06-01

i have a client running on Windows Server 2008 R2. 20 users are using RDP to work on this server.

Those users are only power users and there is one admin in the system.

Now since a week they have complaints about a malware on the server. Everytime i scan the system i keep cleaning malwares.

2 Questions...

1. how is it possible that a power user is able to do something so that a malware is installed on the server. What do i wrong and how can i prevent this?

2. the malware seems to hide always in the SoftwareDistrubution folder. Can i simply delete this folder and let the system create a new one? Or does this impact the server operation?

Question by:Rik Van Lier
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
LVL 24

Expert Comment

ID: 38824784
Few questions...

1) What AV is installed on the server?
2) Why are users Power Users? No need for this on a server, in fact an RDP server should be 'locked down' normally to prevent these type of things happening..
3) No you can't delete that folder, its a system folder and is required by windows

To start this properly you need to fix the permissions first, yes power users can do more than standard users so you need to determine why that level of access is needed
LVL 56

Expert Comment

ID: 38824831

Let me clear up some facts first:
-power users: non-existent in 2008 server. The group is there by name, yes, for compatibility reasons, but adding users to that group does not add any privileges.
-software distribution folder: can be deleted without disrupting windows, yes, but this will not solve your problem.

Given the fact that that folder "software distrib." cannot be written into by normal users, clearly tells us that the virus is already using administrator or system rights. Your system cannot be trusted anymore. If you are no expert at this matter and I am afraid, this seems obvious, you should not try to clean but save your data and reinstall that server or resort to an image backup with a known clean state.

Author Comment

by:Rik Van Lier
ID: 38824851
i am more then technical enough to solve this problem, i just earned this job from another provider. My customer does not want to work anymore with them and askes me to solve this.

I have no option to reinstall this server. Also let me be clear that the server does not have any other problems. Once a day there is a notice from the Antivirus that a malware has been found and deleted.

To answer the other question. The server is running on Microsoft Security Essentials.
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LVL 24

Expert Comment

ID: 38824959
Ok, this will require a bit of work...

I assume its MSE that is detecting the malware? So it can remove it as well?

Is UAC enabled on the server at least? Working from @McKnife's comment about Power Users being irrelevant(which I didn't know apologies) we still need to determine what/how the infection is taking place if the users are just standard accounts...

I've never used MSE on a server before so not sure if its up to the job, but if MSE is cleaning the server and its getting re-infected again and again then remove the Admin users from using the server completely as a start, that way you can then see if the standard accounts are still letting the infection happen...if not then you might be out of jail, but in reality cleaning this machine could take you a LOT of time, whereas a wipe and reinstall may be the more recommended solution and also allow you to properly 'lockdown' the server using proper GPO's etc...
LVL 80

Expert Comment

ID: 38825419
See whether the notice of found item deals with a shadow copy (system volume) or whether the captured item is in a specific users's path?
The malware might be part f a single user profile or an add-on with IE.

Hardto say which.

Author Comment

by:Rik Van Lier
ID: 38857262
ok, i went to see the customer and server today. What i did find our was that there is no special GPO or lockdown policy running this machine.

also was the UAC complete off. I did turned this back on today.

Since then they got almost no malware errors anymore. maybe once a day.

Also it seems that the malware is in the shadow copy or the software distribution folder.

what do you advice?
LVL 80

Expert Comment

ID: 38857483
The issue is how much time do you have and how long does the client have if the system was taken offline, or can it be rebuilt without loosing existing functionality?

Author Comment

by:Rik Van Lier
ID: 38858393
time is no issue and if system needs to be offline for cleaning. the system is only needed during business hours. so weekends the system is free of use.
LVL 80

Accepted Solution

arnold earned 2000 total points
ID: 38858893
The dilemma is that there are two.
Some are of the view that once a system is infected, a complete reinstall is what is required to avoid a possibility of having even a remnant remain that is compromising the system because no testing is fully complete. i.e. there might be a nook and cranny that might be overlooked
The other is depending on the severity/type of the compromise and your confidence as to what impact if a remnant remains might it have on the system/environment.

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question