Link to home
Start Free TrialLog in
Avatar of mkramer777
mkramer777Flag for United States of America

asked on

Unknown file on windows server 2016

I have a windows 2016 server (standard) I use it for accounting system SQL server database. I was looking at a folder on the C drive that is labeled software. Inside the folder is a file named "1" I have no idea what this file is, but it is 64 GB. See screenshots.


User generated image

User generated image


Avatar of Lee W, MVP
Lee W, MVP
Flag of United States of America image

Do you have backups?


Who are you?  Are you a bank?  research department?  Someplace someone has a good reason to hack?  If so, you should start reviewing your access logs.


If not, I would start by trying to rename it (if it's in use you can't).  Then I would reboot.  If you reboot and it's still in use, I'd start inspecting services and make sure there are no unexplained services.  


It's an odd file to have.  I'd back it up to a USB drive and start trying to get it's contents to see if I could figure out what it is. Being in a folder called "software" with a 1 as a file name is not very descriptive.

Avatar of mkramer777

ASKER

We are a road construction company. This is the accounting software server SQL database

take a look in your %temp% folder  and look for any applications 

might be a good idea to look in your task scheduler and task manager

what is the created date/time of this folder and the unknown 1 file


It does look like suspicious activity.. try running malwarebytes and/or upload the file to virustotal.org


Avatar of ☠ MASQ ☠
☠ MASQ ☠

Any clues in Properties>Security about ownership or a CLSID that might help identify its origin?

Creation 12 months ago - does that fit with the SQL install?

i wonder if it's some sort of backup file that someone forgot to put a file extension

i know that in SSMS, if you export a database, you have to manually put a file extension else it will save it without one (just a quick passing thought)


i personally would copy it to another machine and try to view the first part of it from the command line or something; likely a binary file but there could be some clues to help indicate what kind of format it is.  i think it's more weird than malicious

If it was related to SQL install or something like that, what would I rename the file to after I back it up somewhere else

Get file utilities for MS sysinternals
https://learn.microsoft.com/en-us/sysinternals/downloads/handle

When you run handle you can see which process holds access to this file.

"what would I rename the file to after I back it up somewhere else "


I guess you could look at the header of the file for a file signature that might identify what it is

I used to use TrID to do this on much smaller recovered files to work out what file extension the recovered file should have.  AFAIK TrID won't return a result until it has read the whole file (even though it only looks at the first few bytes of each file) so it might take a while!  It's also not licenced for commercial use so you might want to copy the file and take it offline for your own personal interest!

https://www.mark0.net/soft-trid-e.html
Download the Win32 and database file place both in same folder together with the file you want to ID, use a command prompt

syntax is simply:
trid filename

ASKER CERTIFIED SOLUTION
Avatar of serialband
serialband
Flag of Ukraine image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I think it might be a SQL database file now that I think about it.  What should I rename it to see if that is the case?
I have made a copy on another machine of the file to do these tests.


You could try renaming it as .MDF

As you're really just checking its identity take the file offline and use a commercial MDF viewer just to check it is an SQL DB

https://www.systoolsgroup.com/mdf-viewer.html

Is one of many "free" examples of such tools.  Although it will want a registration fee if you want to use it to do more than look at the database you can use it for free to confirm that it recognises the MDF structure.  If you need more detail there are a whole bunch of SQL Experts on the site here who can help with that (I am certainly not one of them :))


(The tool uninstalls cleanly except for two folders at C:\Program Files\SysTools SQL MDF Viewer which need manually deleting afterwards.)

This is a file from 2021.

The fike has not been modified since it was created.
2021.

Check whether it is active

What should I rename it to see if that is the case?


if it is a sql backup file, don't need to rename to test

you can use SSMS to import to a blank database

if it works, then you know it was a sql backup that someone created without a file extension

If one suspects it is an SQL backuo file, you could try using SSMS and load the file to see what is in it.

You do not have the restore ...

64GB for a single file.  Is this your SQL database file or a backup?  Maybe someone typed '1' for the initial file name somewhore.


as I said earlier, someone could have exported the SQL database without a file extension as it doesn't do it automatically