Solved

Malware on server

Posted on 2013-01-27
9
193 Views
Last Modified: 2013-06-01
Hi,

i have a client running on Windows Server 2008 R2. 20 users are using RDP to work on this server.

Those users are only power users and there is one admin in the system.

Now since a week they have complaints about a malware on the server. Everytime i scan the system i keep cleaning malwares.

2 Questions...

1. how is it possible that a power user is able to do something so that a malware is installed on the server. What do i wrong and how can i prevent this?

2. the malware seems to hide always in the SoftwareDistrubution folder. Can i simply delete this folder and let the system create a new one? Or does this impact the server operation?

thanks!
0
Comment
Question by:Rik Van Lier
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 24

Expert Comment

by:smckeown777
ID: 38824784
Few questions...

1) What AV is installed on the server?
2) Why are users Power Users? No need for this on a server, in fact an RDP server should be 'locked down' normally to prevent these type of things happening..
3) No you can't delete that folder, its a system folder and is required by windows

To start this properly you need to fix the permissions first, yes power users can do more than standard users so you need to determine why that level of access is needed
0
 
LVL 54

Expert Comment

by:McKnife
ID: 38824831
Hi.

Let me clear up some facts first:
-power users: non-existent in 2008 server. The group is there by name, yes, for compatibility reasons, but adding users to that group does not add any privileges.
-software distribution folder: can be deleted without disrupting windows, yes, but this will not solve your problem.

Given the fact that that folder "software distrib." cannot be written into by normal users, clearly tells us that the virus is already using administrator or system rights. Your system cannot be trusted anymore. If you are no expert at this matter and I am afraid, this seems obvious, you should not try to clean but save your data and reinstall that server or resort to an image backup with a known clean state.
0
 
LVL 1

Author Comment

by:Rik Van Lier
ID: 38824851
i am more then technical enough to solve this problem, i just earned this job from another provider. My customer does not want to work anymore with them and askes me to solve this.

I have no option to reinstall this server. Also let me be clear that the server does not have any other problems. Once a day there is a notice from the Antivirus that a malware has been found and deleted.

To answer the other question. The server is running on Microsoft Security Essentials.
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 24

Expert Comment

by:smckeown777
ID: 38824959
Ok, this will require a bit of work...

I assume its MSE that is detecting the malware? So it can remove it as well?

Is UAC enabled on the server at least? Working from @McKnife's comment about Power Users being irrelevant(which I didn't know apologies) we still need to determine what/how the infection is taking place if the users are just standard accounts...

I've never used MSE on a server before so not sure if its up to the job, but if MSE is cleaning the server and its getting re-infected again and again then remove the Admin users from using the server completely as a start, that way you can then see if the standard accounts are still letting the infection happen...if not then you might be out of jail, but in reality cleaning this machine could take you a LOT of time, whereas a wipe and reinstall may be the more recommended solution and also allow you to properly 'lockdown' the server using proper GPO's etc...
0
 
LVL 77

Expert Comment

by:arnold
ID: 38825419
See whether the notice of found item deals with a shadow copy (system volume) or whether the captured item is in a specific users's path?
The malware might be part f a single user profile or an add-on with IE.

Hardto say which.
0
 
LVL 1

Author Comment

by:Rik Van Lier
ID: 38857262
ok, i went to see the customer and server today. What i did find our was that there is no special GPO or lockdown policy running this machine.

also was the UAC complete off. I did turned this back on today.

Since then they got almost no malware errors anymore. maybe once a day.

Also it seems that the malware is in the shadow copy or the software distribution folder.

what do you advice?
0
 
LVL 77

Expert Comment

by:arnold
ID: 38857483
The issue is how much time do you have and how long does the client have if the system was taken offline, or can it be rebuilt without loosing existing functionality?
0
 
LVL 1

Author Comment

by:Rik Van Lier
ID: 38858393
time is no issue and if system needs to be offline for cleaning. the system is only needed during business hours. so weekends the system is free of use.
0
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 38858893
The dilemma is that there are two.
Some are of the view that once a system is infected, a complete reinstall is what is required to avoid a possibility of having even a remnant remain that is compromising the system because no testing is fully complete. i.e. there might be a nook and cranny that might be overlooked
The other is depending on the severity/type of the compromise and your confidence as to what impact if a remnant remains might it have on the system/environment.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question