asked on
Unknown file on windows server 2016
ASKER
take a look in your %temp% folder and look for any applications
might be a good idea to look in your task scheduler and task manager
what is the created date/time of this folder and the unknown 1 file
It does look like suspicious activity.. try running malwarebytes and/or upload the file to virustotal.org
Any clues in Properties>Security about ownership or a CLSID that might help identify its origin?
Creation 12 months ago - does that fit with the SQL install?
i wonder if it's some sort of backup file that someone forgot to put a file extension
i know that in SSMS, if you export a database, you have to manually put a file extension else it will save it without one (just a quick passing thought)
i personally would copy it to another machine and try to view the first part of it from the command line or something; likely a binary file but there could be some clues to help indicate what kind of format it is. i think it's more weird than malicious
ASKER
https://learn.microsoft.com/en-us/sysinternals/downloads/handle
When you run handle you can see which process holds access to this file.
"what would I rename the file to after I back it up somewhere else "
I guess you could look at the header of the file for a file signature that might identify what it is
I used to use TrID to do this on much smaller recovered files to work out what file extension the recovered file should have. AFAIK TrID won't return a result until it has read the whole file (even though it only looks at the first few bytes of each file) so it might take a while! It's also not licenced for commercial use so you might want to copy the file and take it offline for your own personal interest!
https://www.mark0.net/soft-trid-e.html
Download the Win32 and database file place both in same folder together with the file you want to ID, use a command prompt
syntax is simply:
trid filename
ASKER
I have made a copy on another machine of the file to do these tests.
You could try renaming it as .MDF
As you're really just checking its identity take the file offline and use a commercial MDF viewer just to check it is an SQL DB
https://www.systoolsgroup.com/mdf-viewer.html
Is one of many "free" examples of such tools. Although it will want a registration fee if you want to use it to do more than look at the database you can use it for free to confirm that it recognises the MDF structure. If you need more detail there are a whole bunch of SQL Experts on the site here who can help with that (I am certainly not one of them :))
(The tool uninstalls cleanly except for two folders at C:\Program Files\SysTools SQL MDF Viewer which need manually deleting afterwards.)
The fike has not been modified since it was created.
2021.
Check whether it is active
What should I rename it to see if that is the case?
if it is a sql backup file, don't need to rename to test
you can use SSMS to import to a blank database
if it works, then you know it was a sql backup that someone created without a file extension
You do not have the restore ...
64GB for a single file. Is this your SQL database file or a backup? Maybe someone typed '1' for the initial file name somewhore.
as I said earlier, someone could have exported the SQL database without a file extension as it doesn't do it automatically
Do you have backups?
Who are you? Are you a bank? research department? Someplace someone has a good reason to hack? If so, you should start reviewing your access logs.
If not, I would start by trying to rename it (if it's in use you can't). Then I would reboot. If you reboot and it's still in use, I'd start inspecting services and make sure there are no unexplained services.
It's an odd file to have. I'd back it up to a USB drive and start trying to get it's contents to see if I could figure out what it is. Being in a folder called "software" with a 1 as a file name is not very descriptive.