Determing who/what pc is modifying files via a network drive
Hi I just dealt with a customer's windows 2003r2 server last night. They were infected with win32.pirate.b virus. That virus modifies all exe files and adds about 180k to the file. We were battling the issue and having a hard time identifying what system was causing these modifications. All of the pcs had a mapped drive letter to the server. The server showed no open files and just 1 or 2 sessions under computer management (we were fixing this after hours so there was very little pc use at the time), yet the files were being changed as soon as we restored them. Also the modified date of the files were not changing according to windows. I enabled file auditing and no events were created.
I saw similar issues with cryptowall at another site, there were no open files listed via computer management on the server, yet the files were clearly being modified while i was checking.
Does anyone know how the viruses are managing to modify a file without changing the modified date as well as going undetected in computer management, open files/sessions? Can anyone recommend an alternative way to identify what system has open files on a server. In the end we tracked the machine down by checking the registry of all computers. They had about 80 machines so it was tedious. In the past I had found using computer management/open files to be a reliable tool but the last few viruses I have encountered don't seem to show their activity on this screen.
I saw similar issues with cryptowall at another site, there were no open files listed via computer management on the server, yet the files were clearly being modified while i was checking.
Does anyone know how the viruses are managing to modify a file without changing the modified date as well as going undetected in computer management, open files/sessions? Can anyone recommend an alternative way to identify what system has open files on a server. In the end we tracked the machine down by checking the registry of all computers. They had about 80 machines so it was tedious. In the past I had found using computer management/open files to be a reliable tool but the last few viruses I have encountered don't seem to show their activity on this screen.
Assuming that you have a central AV installed.. Do you not see it in the management server?
Otherwise..
you could do this really simple..
Just create a login script..
In the script have everyone reboot..
and delete the following files and keys..
Once you do that, you will likely have to figure out which user is getting popups of missing files or failed software launches.. But that should do it..
%User Temp%\{random file name}.tmp - detected as PE_PARITE.A-O
In HKEY_CURRENT_USER\Software
Oh.. Also..
You can modify files through command prompt without changing dates, it's used when you backup a file, so that you know when it was last backed up or created.. depending on the script..
Otherwise..
you could do this really simple..
Just create a login script..
In the script have everyone reboot..
and delete the following files and keys..
Once you do that, you will likely have to figure out which user is getting popups of missing files or failed software launches.. But that should do it..
%User Temp%\{random file name}.tmp - detected as PE_PARITE.A-O
In HKEY_CURRENT_USER\Software
Oh.. Also..
You can modify files through command prompt without changing dates, it's used when you backup a file, so that you know when it was last backed up or created.. depending on the script..
ASKER
The changes were definitely coming from the network. We have cleaned the infections and identified the pc causing the issue. That being said we need a way to identify the pc modifying the files in a better way moving forward. The built in session/open files doesn't seem to work with modern viruses
yikes..
The AV doesn't see the changes of the files as an infection?
That's a major issue.. because the changes themselves likely are done through simple DOS commands which don't show the change..
I wonder if there is anything added to the code, like a 000000xa or something to that effect in which then you can scan for..
The question i guess i am asking..
Any idea what it added to the file, other then the size?
The AV doesn't see the changes of the files as an infection?
That's a major issue.. because the changes themselves likely are done through simple DOS commands which don't show the change..
I wonder if there is anything added to the code, like a 000000xa or something to that effect in which then you can scan for..
The question i guess i am asking..
Any idea what it added to the file, other then the size?
then instruct all users not to use the server but let the clients running and then sniff the network traffic. Or depending on how many clients you have turn off all clients and then only turn on one by one to check which one will introduce he problem.
finding the virus on the clients doesn't mean the server itself is clean. The server may even run another malware that only DROPS the thing you find in the exe files. You really should consider the server itself comromised too. Especially if you have logged on to one of the clients as domain admins or other accounts with higer privileges. This Worm also can spread by exploting windows security holes. So be sure your server and clients are up to date with all patches.
finding the virus on the clients doesn't mean the server itself is clean. The server may even run another malware that only DROPS the thing you find in the exe files. You really should consider the server itself comromised too. Especially if you have logged on to one of the clients as domain admins or other accounts with higer privileges. This Worm also can spread by exploting windows security holes. So be sure your server and clients are up to date with all patches.
@rob Its a polymorphic virus. therefore any AV does NOT have a chance to detect the modified binaries, as each copy has a different coding. You only can detect changes if you have checksums of the clean files.
Run a trial using netwrix network auditor, you'll find your answers
Do you have a backup?
Since the virus is cleaned out, maybe just restore the entire drive?
No?
Since the virus is cleaned out, maybe just restore the entire drive?
No?
ASKER
we are a bit off topic, the issue is already fixed and the discussion about AV or backup is irrelevant. I am simply looking for a better way to track down the source of problems like this in the future, i have hundreds of clients, its bound to happen again somewhere else. i will need to look into netwrix as trsteam suggested, that looks like the closest thing to what i am asking for so far.I just want to be able to pinpoint the system that is modifying the files as fast as possible next time. checking each machine isnt ideal.
I am pretty sure from a modification stand-point you could just use Microsoft Auditing in Group Policy. I am not 100% sure this is what you are looking for, or if it still exists, as the last time i used it was in 2k advanced server, but there are better tools 3rd party that will show more detail, i believe solarwinds LEM will do this in more detail, but it is a little expensive.
To do this through windows you can:
Computer Configuration - Windows Settings - Security Settings - Local Policies - Audit Policy
Start Explorer
Right click on the files/folders select Properties
Select the Security tab
Click the Advanced button
Select the Audit tab
Click Edit
Click Add
Select 'Everyone'
Click OK
Select the actions to audit such as 'List folder/read data'
Click OK
Click OK to all dialogs
The dialogue might be slightly different, and you may have to play with it a little to see if it still works in the Newer OS's but i am pretty sure this will do what you are looking for.. If it is still there..
To do this through windows you can:
Computer Configuration - Windows Settings - Security Settings - Local Policies - Audit Policy
Start Explorer
Right click on the files/folders select Properties
Select the Security tab
Click the Advanced button
Select the Audit tab
Click Edit
Click Add
Select 'Everyone'
Click OK
Select the actions to audit such as 'List folder/read data'
Click OK
Click OK to all dialogs
The dialogue might be slightly different, and you may have to play with it a little to see if it still works in the Newer OS's but i am pretty sure this will do what you are looking for.. If it is still there..
ASKER
i did try enabling auditing, it only seemed to generate events when i looked at the directory. i assumed since the file modified date wasnt changing the audit trail wasnt firing either.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks rob, i was using the built in windows one but i will check out the other 3 mentioned in that post.
Test to diasconnect the server from any network connections, clean some files in the afected paths and wait to see if they become infected again.
This would also explain why you cant see the network sessions.
If the files keep intact without network, next would be to sniff the traffic on the lan port of the server to see which systems are communicationg with the server.
Does the server export any of those directories by ftp, NFS etc?