Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Determing who/what pc is modifying files via a network drive

Posted on 2014-12-17
13
Medium Priority
?
126 Views
Last Modified: 2014-12-22
Hi I just dealt with a customer's windows 2003r2 server last night. They were infected with win32.pirate.b virus. That virus modifies all exe files and adds about 180k to the file. We were battling the issue and having a hard time identifying what system was causing these modifications. All of the pcs had a mapped drive letter to the server. The server showed no open files and just 1 or 2 sessions under computer management (we were fixing this after hours so there was very little pc use at the time), yet the files were being changed as soon as we restored them. Also the modified date of the files were not changing according to windows. I enabled file auditing and no events were created.

I saw similar issues with cryptowall at another site, there were no open files listed via computer management on the server, yet the files were clearly being modified while i was checking.

Does anyone know how the viruses are managing to modify a file without changing the modified date as well as going undetected in computer management, open files/sessions? Can anyone recommend an alternative way to identify what system has open files on a server. In the end we tracked the machine down by checking the registry of all computers. They had about 80 machines so it was tedious. In the past I had found using computer management/open files to be a reliable tool but the last few viruses I have encountered don't seem to show their activity on this screen.
0
Comment
Question by:Baran711
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
  • +1
13 Comments
 
LVL 12

Expert Comment

by:andreas
ID: 40505581
are you sure the modifications are comming from the network and not from the server itself?

Test to diasconnect the server from any network connections, clean some files in the afected paths and wait to see if they become infected again.

This would also explain why you cant see the network sessions.

If the files keep intact without network, next would be to sniff the traffic on the lan port of the server to see which systems are communicationg with the server.

Does the server export any of those directories by ftp, NFS etc?
0
 
LVL 6

Expert Comment

by:Rob G
ID: 40505723
Assuming that you have a central AV installed.. Do you not see it in the management server?

Otherwise..
you could do this really simple..

Just create a login script..
In the script have everyone reboot..
and delete the following files and keys..
Once you do that, you will likely have to figure out which user is getting popups of missing files or failed software launches.. But that should do it..  

%User Temp%\{random file name}.tmp - detected as PE_PARITE.A-O
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ "PINF"

Oh.. Also..
You can modify files through command prompt without changing dates, it's used when you backup a file, so that you know when it was last backed up or created.. depending on the script..
0
 

Author Comment

by:Baran711
ID: 40505752
The changes were definitely  coming from the network. We have cleaned the infections and identified the pc causing the issue. That being said we need a way to identify the pc modifying the files in a better way moving forward. The built in session/open files doesn't seem to work with modern viruses
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 6

Expert Comment

by:Rob G
ID: 40505767
yikes..
The AV doesn't see the changes of the files as an infection?
That's a major issue.. because the changes themselves likely are done through simple DOS commands which don't show the change..
I wonder if there is anything added to the code, like a 000000xa or something to that effect in which then you can scan for..
The question i guess i am asking..
Any idea what it added to the file, other then the size?
0
 
LVL 12

Expert Comment

by:andreas
ID: 40505785
then instruct all users not to use the server but let the clients running and then sniff the network traffic. Or depending on how many clients you have turn off all clients and then only turn on one by one to check which one will introduce he problem.

finding the virus on the clients doesn't mean the server itself is clean. The server may even run another malware that only DROPS the thing you find in the exe files. You really should consider the server itself comromised too. Especially if you have logged on to one of the clients as domain admins or other accounts with higer privileges. This Worm also can spread by exploting windows security holes. So be sure your server and clients are up to date with all patches.
0
 
LVL 12

Expert Comment

by:andreas
ID: 40505790
@rob Its a polymorphic virus. therefore any AV does NOT have a chance to detect the modified binaries, as each copy has a different coding. You only can detect changes if you have checksums of the clean files.
0
 

Expert Comment

by:TRSTeam
ID: 40505802
Run a trial using netwrix network auditor, you'll find your answers
0
 
LVL 6

Expert Comment

by:Rob G
ID: 40505813
Do you have a backup?
Since the virus is cleaned out, maybe just restore the entire drive?
No?
0
 

Author Comment

by:Baran711
ID: 40506184
we are a bit off topic, the issue is already fixed and the discussion about AV or backup is irrelevant. I am simply looking for a better way to track down the source of problems like this in the future, i have hundreds of clients, its bound to happen again somewhere else. i will need to look into netwrix as trsteam suggested, that looks like the closest thing to what i am asking for so far.I just want to be able to pinpoint the system that is modifying the files as fast as possible next time. checking each machine isnt ideal.
0
 
LVL 6

Expert Comment

by:Rob G
ID: 40507079
I am pretty sure from a modification stand-point you could just use Microsoft Auditing in Group Policy. I am not 100% sure this is what you are looking for, or if it still exists, as the last time i used it was in 2k advanced server, but there are better tools 3rd party that will show more detail, i believe solarwinds LEM will do this in more detail, but it is a little expensive.

To do this through windows you can:
Computer Configuration - Windows Settings - Security Settings - Local Policies - Audit Policy
Start Explorer

Right click on the files/folders select Properties
Select the Security tab
Click the Advanced button
Select the Audit tab
Click Edit
Click Add
Select 'Everyone'
Click OK
Select the actions to audit such as 'List folder/read data'
Click OK
Click OK to all dialogs

The dialogue might be slightly different, and you may have to play with it a little to see if it still works in the Newer OS's but i am pretty sure this will do what you are looking for.. If it is still there..
0
 

Author Comment

by:Baran711
ID: 40507085
i did try enabling auditing, it only seemed to generate events when i looked at the directory. i assumed since the file modified date wasnt changing the audit trail wasnt firing either.
0
 
LVL 6

Accepted Solution

by:
Rob G earned 2000 total points
ID: 40507228
Baran,
There is a fairly good article on this here:
http://dottech.org/11324/4-ways-to-monitor-who-is-accessing-your-shared-foldersfiles/
I wonder if one of these might work for the information you are trying to pull..?
0
 

Author Comment

by:Baran711
ID: 40512894
thanks rob, i was using the built in windows one but i will check out the other 3 mentioned in that post.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question