Solved

SBS 2011 MAJOR issue with Hard Disks

Posted on 2016-08-02
12
56 Views
Last Modified: 2016-08-25
At 2 o'clock this afternoon A client rang to say they could no longer access exchange or there shared data.
Logging into the machine EVERY drive on the server NOT the main disk was empty. Not just not showing up but there, labelled correctly and showing correct TOTAL space but not a single piece of info on them.
C: -Windows - Standalone SSD- Running fine
D:- Exchange- External DAS running off a SIL3121 SATA Raid is empty
E: WSUS- Empty- As above
F: Archive-Empty as above
G: - Storage Craft Backup - Internal Intel Raid - Empty
F: DATA- secondary External DAS totally separate to the 1st one (2 separate boxes)

One could look at the SIL raid card but the fact that a totally separate intel internal raid has done the same and the disks are showing up says to me it is not that

I cannot find a single reason in the event log for anything to have happened. No windows updates or driver updates have been run.
The only suspicious thing was that someone had logged on locally to the machine yesterday (it is not used and sits in a cupboard) as a generic user and there was a Russian Google Chrome installed. On the desktop was a program folder called Clearlogs.V1 with an exe file under Clearlogs. This seemed to have been download 2 years ago but the folder it sits in shows it was edited at the same time everything seems to have stopped today.

Does anyone have any ideas at all because I am totally lost and with no backups available the company of 30 users is screwed!
0
Comment
Question by:Richeyyy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
  • 2
  • +2
12 Comments
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 41739376
At this point I'd shut down the server and send the hard drives to data recovery.  Could you possibly find something yourself?  Sure... but you could also easily destroy any possibility they may still have to get their data back.

I would then work with them on a plan to setup REAL backups that include OFF-SITE and rotating media.
1
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 41739994
Russian Google Chrome, eh?  I think you know what happened, but if you want validation, yeah, you got compromised and someone either intentionally or inadvertently wiped the data.  

No backups?  Ouch.  Depending on who did the damage, you *might* be able to recover data from the drives (after all the labels and partitions sound intact) but in all likelihood, with the way modern malware and crypto attacks work, I'm betting...gone.

No backups, no options really. Hard lesson for them to learn.
0
 
LVL 30

Expert Comment

by:pgm554
ID: 41740024
Chrome or Chromium?
0
Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

 
LVL 47

Accepted Solution

by:
David earned 500 total points (awarded by participants)
ID: 41741690
I would create a sandbox virtual machine, copy that clearlogs program to it, and run it.  If it blows things away, you have verification.  

As for data being lost, one could tell with the right software if the disk was programmatically locked; reformatted at block level; partitioning changed or destroyed; sanitized; subjected do a denial of service attack in one of many ways; resized programmatically to tiny capacity ...

So many ways to do evil things, and if I gave techniques to determine some of these methodologies, i'd just be teaching people about exploits that they can then use themselves for nefarious reasons.
(But i would hook up one of the disks to a linux box, and enter cat strings /dev/sdb  (or whatever device name one of the disk show).  If you see chunks of text that make sense then chances are good they used a method easily recovered from.    If you see nothing, or get error messages, then the error messages will provide a clue.

Bottom line, your customer is going to be paying the big bucks to a data recovery company, and somebody needs to sell them a disaster recovery / backup plan.  I'd stay out of it personally, this is out of your realm.  You do NOT want the liability making things worse by trying something that could change state.
0
 
LVL 47

Expert Comment

by:David
ID: 41741694
I would also advise them to get law enforcement involved and have company management think about any IT people that recently left the company under less than favorable conditions.

If this is a ransomware attack, then the good news is maybe the extortionist sent an email asking for a few thousand dollars and it is in a junk folder.
0
 

Author Comment

by:Richeyyy
ID: 41743388
That's the problem they had a data recovery setup with local and remote backup but the local was formatted/deleted and the remote was removed via the program as it has a safety guard in it to do so
All in all they have been royally f@&ked by someone who knew the system. Strange thing is they have had no acrimonious departures and the way they got in is not by accident. Very very odd
0
 
LVL 47

Expert Comment

by:David
ID: 41743627
Only one backup?  Sad.
0
 
LVL 30

Expert Comment

by:pgm554
ID: 41743651
Well even if you format,if they didn't run a one and zero write to every sector,the data may be recoverable in house.
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 41743669
Backups should include OFFLINE copies that aren't more than a few days or a week old.  Having a "remote" backup that is an externally attached hard drive is not a "remote" backup.  It's still local.  Replication is NOT backup - it's Disaster Recovery.
0
 
LVL 47

Expert Comment

by:David
ID: 41744114
... and one needs both backup copies and archive copies.   Archives imply offsite, long-term, disaster recovery copies for situations as the customer experienced.   They are also for fire, flood, tornados, and the situation your customer experienced.

Never have one copy, nothing is infallible.
0
 
LVL 47

Expert Comment

by:David
ID: 41763629
correction, Cliff's post ID: 41739994 suggested this first, he deserves the points.
0
 
LVL 47

Expert Comment

by:David
ID: 41769950
Author confirmed problem was not hardware, it was due to a hacker as suggested by this post
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Moving your enterprise fax infrastructure from in-house fax machines and servers to the cloud makes sense — from both an efficiency and productivity standpoint. But does migrating to a cloud fax solution mean you will no longer be able to send or re…
Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
This video teaches viewers how to encrypt an external drive that requires a password to read and edit the drive. All tasks are done in Disk Utility. Plug in the external drive you wish to encrypt: Make sure all previous data on the drive has been …
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question