Determing who/what pc is modifying files via a network drive
Posted on 2014-12-17
Hi I just dealt with a customer's windows 2003r2 server last night. They were infected with win32.pirate.b virus. That virus modifies all exe files and adds about 180k to the file. We were battling the issue and having a hard time identifying what system was causing these modifications. All of the pcs had a mapped drive letter to the server. The server showed no open files and just 1 or 2 sessions under computer management (we were fixing this after hours so there was very little pc use at the time), yet the files were being changed as soon as we restored them. Also the modified date of the files were not changing according to windows. I enabled file auditing and no events were created.
I saw similar issues with cryptowall at another site, there were no open files listed via computer management on the server, yet the files were clearly being modified while i was checking.
Does anyone know how the viruses are managing to modify a file without changing the modified date as well as going undetected in computer management, open files/sessions? Can anyone recommend an alternative way to identify what system has open files on a server. In the end we tracked the machine down by checking the registry of all computers. They had about 80 machines so it was tedious. In the past I had found using computer management/open files to be a reliable tool but the last few viruses I have encountered don't seem to show their activity on this screen.