SBS 2011 MAJOR issue with Hard Disks
At 2 o'clock this afternoon A client rang to say they could no longer access exchange or there shared data.
Logging into the machine EVERY drive on the server NOT the main disk was empty. Not just not showing up but there, labelled correctly and showing correct TOTAL space but not a single piece of info on them.
C: -Windows - Standalone SSD- Running fine
D:- Exchange- External DAS running off a SIL3121 SATA Raid is empty
E: WSUS- Empty- As above
F: Archive-Empty as above
G: - Storage Craft Backup - Internal Intel Raid - Empty
F: DATA- secondary External DAS totally separate to the 1st one (2 separate boxes)
One could look at the SIL raid card but the fact that a totally separate intel internal raid has done the same and the disks are showing up says to me it is not that
I cannot find a single reason in the event log for anything to have happened. No windows updates or driver updates have been run.
The only suspicious thing was that someone had logged on locally to the machine yesterday (it is not used and sits in a cupboard) as a generic user and there was a Russian Google Chrome installed. On the desktop was a program folder called Clearlogs.V1 with an exe file under Clearlogs. This seemed to have been download 2 years ago but the folder it sits in shows it was edited at the same time everything seems to have stopped today.
Does anyone have any ideas at all because I am totally lost and with no backups available the company of 30 users is screwed!
Logging into the machine EVERY drive on the server NOT the main disk was empty. Not just not showing up but there, labelled correctly and showing correct TOTAL space but not a single piece of info on them.
C: -Windows - Standalone SSD- Running fine
D:- Exchange- External DAS running off a SIL3121 SATA Raid is empty
E: WSUS- Empty- As above
F: Archive-Empty as above
G: - Storage Craft Backup - Internal Intel Raid - Empty
F: DATA- secondary External DAS totally separate to the 1st one (2 separate boxes)
One could look at the SIL raid card but the fact that a totally separate intel internal raid has done the same and the disks are showing up says to me it is not that
I cannot find a single reason in the event log for anything to have happened. No windows updates or driver updates have been run.
The only suspicious thing was that someone had logged on locally to the machine yesterday (it is not used and sits in a cupboard) as a generic user and there was a Russian Google Chrome installed. On the desktop was a program folder called Clearlogs.V1 with an exe file under Clearlogs. This seemed to have been download 2 years ago but the folder it sits in shows it was edited at the same time everything seems to have stopped today.
Does anyone have any ideas at all because I am totally lost and with no backups available the company of 30 users is screwed!
Russian Google Chrome, eh? I think you know what happened, but if you want validation, yeah, you got compromised and someone either intentionally or inadvertently wiped the data.
No backups? Ouch. Depending on who did the damage, you *might* be able to recover data from the drives (after all the labels and partitions sound intact) but in all likelihood, with the way modern malware and crypto attacks work, I'm betting...gone.
No backups, no options really. Hard lesson for them to learn.
No backups? Ouch. Depending on who did the damage, you *might* be able to recover data from the drives (after all the labels and partitions sound intact) but in all likelihood, with the way modern malware and crypto attacks work, I'm betting...gone.
No backups, no options really. Hard lesson for them to learn.
Chrome or Chromium?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I would also advise them to get law enforcement involved and have company management think about any IT people that recently left the company under less than favorable conditions.
If this is a ransomware attack, then the good news is maybe the extortionist sent an email asking for a few thousand dollars and it is in a junk folder.
If this is a ransomware attack, then the good news is maybe the extortionist sent an email asking for a few thousand dollars and it is in a junk folder.
ASKER
That's the problem they had a data recovery setup with local and remote backup but the local was formatted/deleted and the remote was removed via the program as it has a safety guard in it to do so
All in all they have been royally f@&ked by someone who knew the system. Strange thing is they have had no acrimonious departures and the way they got in is not by accident. Very very odd
All in all they have been royally f@&ked by someone who knew the system. Strange thing is they have had no acrimonious departures and the way they got in is not by accident. Very very odd
Only one backup? Sad.
Well even if you format,if they didn't run a one and zero write to every sector,the data may be recoverable in house.
Backups should include OFFLINE copies that aren't more than a few days or a week old. Having a "remote" backup that is an externally attached hard drive is not a "remote" backup. It's still local. Replication is NOT backup - it's Disaster Recovery.
... and one needs both backup copies and archive copies. Archives imply offsite, long-term, disaster recovery copies for situations as the customer experienced. They are also for fire, flood, tornados, and the situation your customer experienced.
Never have one copy, nothing is infallible.
Never have one copy, nothing is infallible.
correction, Cliff's post ID: 41739994 suggested this first, he deserves the points.
Author confirmed problem was not hardware, it was due to a hacker as suggested by this post
I would then work with them on a plan to setup REAL backups that include OFF-SITE and rotating media.