Solved

SBS 2011 MAJOR issue with Hard Disks

Posted on 2016-08-02
12
43 Views
Last Modified: 2016-08-25
At 2 o'clock this afternoon A client rang to say they could no longer access exchange or there shared data.
Logging into the machine EVERY drive on the server NOT the main disk was empty. Not just not showing up but there, labelled correctly and showing correct TOTAL space but not a single piece of info on them.
C: -Windows - Standalone SSD- Running fine
D:- Exchange- External DAS running off a SIL3121 SATA Raid is empty
E: WSUS- Empty- As above
F: Archive-Empty as above
G: - Storage Craft Backup - Internal Intel Raid - Empty
F: DATA- secondary External DAS totally separate to the 1st one (2 separate boxes)

One could look at the SIL raid card but the fact that a totally separate intel internal raid has done the same and the disks are showing up says to me it is not that

I cannot find a single reason in the event log for anything to have happened. No windows updates or driver updates have been run.
The only suspicious thing was that someone had logged on locally to the machine yesterday (it is not used and sits in a cupboard) as a generic user and there was a Russian Google Chrome installed. On the desktop was a program folder called Clearlogs.V1 with an exe file under Clearlogs. This seemed to have been download 2 years ago but the folder it sits in shows it was edited at the same time everything seems to have stopped today.

Does anyone have any ideas at all because I am totally lost and with no backups available the company of 30 users is screwed!
0
Comment
Question by:Richeyyy
  • 6
  • 2
  • 2
  • +2
12 Comments
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 41739376
At this point I'd shut down the server and send the hard drives to data recovery.  Could you possibly find something yourself?  Sure... but you could also easily destroy any possibility they may still have to get their data back.

I would then work with them on a plan to setup REAL backups that include OFF-SITE and rotating media.
1
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 41739994
Russian Google Chrome, eh?  I think you know what happened, but if you want validation, yeah, you got compromised and someone either intentionally or inadvertently wiped the data.  

No backups?  Ouch.  Depending on who did the damage, you *might* be able to recover data from the drives (after all the labels and partitions sound intact) but in all likelihood, with the way modern malware and crypto attacks work, I'm betting...gone.

No backups, no options really. Hard lesson for them to learn.
0
 
LVL 30

Expert Comment

by:pgm554
ID: 41740024
Chrome or Chromium?
0
 
LVL 47

Accepted Solution

by:
dlethe earned 500 total points (awarded by participants)
ID: 41741690
I would create a sandbox virtual machine, copy that clearlogs program to it, and run it.  If it blows things away, you have verification.  

As for data being lost, one could tell with the right software if the disk was programmatically locked; reformatted at block level; partitioning changed or destroyed; sanitized; subjected do a denial of service attack in one of many ways; resized programmatically to tiny capacity ...

So many ways to do evil things, and if I gave techniques to determine some of these methodologies, i'd just be teaching people about exploits that they can then use themselves for nefarious reasons.
(But i would hook up one of the disks to a linux box, and enter cat strings /dev/sdb  (or whatever device name one of the disk show).  If you see chunks of text that make sense then chances are good they used a method easily recovered from.    If you see nothing, or get error messages, then the error messages will provide a clue.

Bottom line, your customer is going to be paying the big bucks to a data recovery company, and somebody needs to sell them a disaster recovery / backup plan.  I'd stay out of it personally, this is out of your realm.  You do NOT want the liability making things worse by trying something that could change state.
0
 
LVL 47

Expert Comment

by:dlethe
ID: 41741694
I would also advise them to get law enforcement involved and have company management think about any IT people that recently left the company under less than favorable conditions.

If this is a ransomware attack, then the good news is maybe the extortionist sent an email asking for a few thousand dollars and it is in a junk folder.
0
 

Author Comment

by:Richeyyy
ID: 41743388
That's the problem they had a data recovery setup with local and remote backup but the local was formatted/deleted and the remote was removed via the program as it has a safety guard in it to do so
All in all they have been royally f@&ked by someone who knew the system. Strange thing is they have had no acrimonious departures and the way they got in is not by accident. Very very odd
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 47

Expert Comment

by:dlethe
ID: 41743627
Only one backup?  Sad.
0
 
LVL 30

Expert Comment

by:pgm554
ID: 41743651
Well even if you format,if they didn't run a one and zero write to every sector,the data may be recoverable in house.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 41743669
Backups should include OFFLINE copies that aren't more than a few days or a week old.  Having a "remote" backup that is an externally attached hard drive is not a "remote" backup.  It's still local.  Replication is NOT backup - it's Disaster Recovery.
0
 
LVL 47

Expert Comment

by:dlethe
ID: 41744114
... and one needs both backup copies and archive copies.   Archives imply offsite, long-term, disaster recovery copies for situations as the customer experienced.   They are also for fire, flood, tornados, and the situation your customer experienced.

Never have one copy, nothing is infallible.
0
 
LVL 47

Expert Comment

by:dlethe
ID: 41763629
correction, Cliff's post ID: 41739994 suggested this first, he deserves the points.
0
 
LVL 47

Expert Comment

by:dlethe
ID: 41769950
Author confirmed problem was not hardware, it was due to a hacker as suggested by this post
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
How to update Firmware and Bios in Dell Equalogic PS6000 Arrays and Hard Disks firmware update.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting. This w…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now