?
Solved

SBS 2011 MAJOR issue with Hard Disks

Posted on 2016-08-02
12
Medium Priority
?
67 Views
Last Modified: 2016-08-25
At 2 o'clock this afternoon A client rang to say they could no longer access exchange or there shared data.
Logging into the machine EVERY drive on the server NOT the main disk was empty. Not just not showing up but there, labelled correctly and showing correct TOTAL space but not a single piece of info on them.
C: -Windows - Standalone SSD- Running fine
D:- Exchange- External DAS running off a SIL3121 SATA Raid is empty
E: WSUS- Empty- As above
F: Archive-Empty as above
G: - Storage Craft Backup - Internal Intel Raid - Empty
F: DATA- secondary External DAS totally separate to the 1st one (2 separate boxes)

One could look at the SIL raid card but the fact that a totally separate intel internal raid has done the same and the disks are showing up says to me it is not that

I cannot find a single reason in the event log for anything to have happened. No windows updates or driver updates have been run.
The only suspicious thing was that someone had logged on locally to the machine yesterday (it is not used and sits in a cupboard) as a generic user and there was a Russian Google Chrome installed. On the desktop was a program folder called Clearlogs.V1 with an exe file under Clearlogs. This seemed to have been download 2 years ago but the folder it sits in shows it was edited at the same time everything seems to have stopped today.

Does anyone have any ideas at all because I am totally lost and with no backups available the company of 30 users is screwed!
0
Comment
Question by:Richeyyy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
  • 2
  • +2
12 Comments
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 41739376
At this point I'd shut down the server and send the hard drives to data recovery.  Could you possibly find something yourself?  Sure... but you could also easily destroy any possibility they may still have to get their data back.

I would then work with them on a plan to setup REAL backups that include OFF-SITE and rotating media.
1
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 41739994
Russian Google Chrome, eh?  I think you know what happened, but if you want validation, yeah, you got compromised and someone either intentionally or inadvertently wiped the data.  

No backups?  Ouch.  Depending on who did the damage, you *might* be able to recover data from the drives (after all the labels and partitions sound intact) but in all likelihood, with the way modern malware and crypto attacks work, I'm betting...gone.

No backups, no options really. Hard lesson for them to learn.
0
 
LVL 30

Expert Comment

by:pgm554
ID: 41740024
Chrome or Chromium?
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 47

Accepted Solution

by:
David earned 2000 total points (awarded by participants)
ID: 41741690
I would create a sandbox virtual machine, copy that clearlogs program to it, and run it.  If it blows things away, you have verification.  

As for data being lost, one could tell with the right software if the disk was programmatically locked; reformatted at block level; partitioning changed or destroyed; sanitized; subjected do a denial of service attack in one of many ways; resized programmatically to tiny capacity ...

So many ways to do evil things, and if I gave techniques to determine some of these methodologies, i'd just be teaching people about exploits that they can then use themselves for nefarious reasons.
(But i would hook up one of the disks to a linux box, and enter cat strings /dev/sdb  (or whatever device name one of the disk show).  If you see chunks of text that make sense then chances are good they used a method easily recovered from.    If you see nothing, or get error messages, then the error messages will provide a clue.

Bottom line, your customer is going to be paying the big bucks to a data recovery company, and somebody needs to sell them a disaster recovery / backup plan.  I'd stay out of it personally, this is out of your realm.  You do NOT want the liability making things worse by trying something that could change state.
0
 
LVL 47

Expert Comment

by:David
ID: 41741694
I would also advise them to get law enforcement involved and have company management think about any IT people that recently left the company under less than favorable conditions.

If this is a ransomware attack, then the good news is maybe the extortionist sent an email asking for a few thousand dollars and it is in a junk folder.
0
 

Author Comment

by:Richeyyy
ID: 41743388
That's the problem they had a data recovery setup with local and remote backup but the local was formatted/deleted and the remote was removed via the program as it has a safety guard in it to do so
All in all they have been royally f@&ked by someone who knew the system. Strange thing is they have had no acrimonious departures and the way they got in is not by accident. Very very odd
0
 
LVL 47

Expert Comment

by:David
ID: 41743627
Only one backup?  Sad.
0
 
LVL 30

Expert Comment

by:pgm554
ID: 41743651
Well even if you format,if they didn't run a one and zero write to every sector,the data may be recoverable in house.
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 41743669
Backups should include OFFLINE copies that aren't more than a few days or a week old.  Having a "remote" backup that is an externally attached hard drive is not a "remote" backup.  It's still local.  Replication is NOT backup - it's Disaster Recovery.
0
 
LVL 47

Expert Comment

by:David
ID: 41744114
... and one needs both backup copies and archive copies.   Archives imply offsite, long-term, disaster recovery copies for situations as the customer experienced.   They are also for fire, flood, tornados, and the situation your customer experienced.

Never have one copy, nothing is infallible.
0
 
LVL 47

Expert Comment

by:David
ID: 41763629
correction, Cliff's post ID: 41739994 suggested this first, he deserves the points.
0
 
LVL 47

Expert Comment

by:David
ID: 41769950
Author confirmed problem was not hardware, it was due to a hacker as suggested by this post
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Moving your enterprise fax infrastructure from in-house fax machines and servers to the cloud makes sense — from both an efficiency and productivity standpoint. But does migrating to a cloud fax solution mean you will no longer be able to send or re…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting. This w…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question