Security Incidents mailing list archives
Re: 1,800 files missing from system32
From: Harlan Carvey <keydet89 () yahoo com>
Date: Thu, 14 Oct 2004 08:32:53 -0700 (PDT)
Joe,
This is about tenth time this has happened to a customer of ours. It's happened at multiple sites and servers. It's ONLY happening on W2k servers (DCs and non-DCs). They are running up to date Symantec AV signatures.
Is real-time file protection enabled? Is the AV process itself running? There are several worms that attempt to disable AV and firewall products once they get on a system, so simply having AV signatures up-to-date may not be good enough.
We've had problems getting to the systems to perform any meaningful analysis before they get rebuilt.
That's definitely an issue. You're going to have to inform your customer (or have your boss do so) that rebuilding the system prior to performing an investigation/root cause analysis is going to leave them in a very bad position. If you don't know what caused the problem, how do you then protect your systems once you've rebuilt them?
I was able to review the event logs on one system and while I found no smoking gun I did find a few things that I found odd.
That's not surprising, really. I think you did find some interesting things, but those things are logged to the Event Log automatically on a default installation of the system. Out of the box, the system needs some configuration work before it can really provide additional, meaningful information via the Event Log.
1. At precisely 9:00:00 AM Windows File Protection kicked in when 35 files in "common files\microsoft shared", "common files\system\ado", and "common files\system\msadc", as well as these three: trialoc.dll, wb32.exe and wordpad.exe were restored by WFP.
Besides the specific filenames you listed, what were the types of files deleted from the other directories? Were they also executable (.exe, .dll) files?
2.Event ID 1202 SceCli Security policies are propagated with warning. 0x2: The system cannot find the file specified, is being logged. This could be caused by an irresoluble account name but we were not able to trouble shoot before the system was restored.
I don't know what "irresoluble" means, but I was able to find this on EventID: http://www.eventid.net/display.asp?eventid=1202&eventno=348&source=SceCli&phase=1
Something that must be disclosed is that these system are only patched through MS04-004.
Good to keep in mind, but so far, there's no real information to determine whether or not that has anything to do with the issue.
We know that's a huge problem but the configuraiton management these systems are under has not yet approved more current patches. If this is caused by malware I'll put my money on missing MS04-011 as being the key factor in all of this.
That could be...but what makes you say that? Are you just guessing? Consider this for a moment...think about how accessible the systems are. You said that some of these systems are DCs...therefore, they should not be accessible via the Internet, particularly the ports required for the LSASS exploit to work (from the Technical Details of MS04-011, UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593 should be blocked). Given this...and I'm not asking you to reveal your customer's information...but simply think about the patch you've mentioned. Also, this does not only apply to the LSASS portion of the patch, but the others, as well.
An MS support rep says he thinks it's a virus, but I'm not familiar with any that ONLY target W2k server, and he can't tell us which one he thinks it is.
Of course not. You haven't given him enough solid information to work with. In order to do that, you'd (a) have to have the right tools to collect information (which is really pretty trivial), and (b) have access to a live system prior to it being rebuilt. Have you tried running a virus scanner yourself?
Has anyone seen malware, or anything else, only affect W2k servers and cause massive file deletions in system32?
I really think that this is an incorrect/wrong/dangerous viewpoint to take. Simply b/c you're only seeing this on Windows 2000 systems does not mean that the issue is specific only to Windows 2000. By making this base assumption, your entire approach to the issue may ultimately lead you to look in the wrong places. Basically, without more information, you're going to end up with what you've already got...pure speculation. I really do hope that you find someone who had this same issue and was able to determine what it was. In the absence of that, though...speculation really doesn't do a great deal to resolve an issue such as this. ===== ------------------------------------------ Harlan Carvey, CISSP "Windows Forensics and Incident Recovery" http://www.windows-ir.com http://groups.yahoo.com/group/windowsir/ "Meddle not in the affairs of dragons, for you are crunchy, and good with ketchup." "The simplicity of this game amuses me. Bring me your finest meats and cheeses." ------------------------------------------
Current thread:
- 1,800 files missing from system32 Joe Blatz (Oct 14)
- Re: 1,800 files missing from system32 Harlan Carvey (Oct 14)
- Re: 1,800 files missing from system32 Joe Blatz (Oct 15)
- Re: 1,800 files missing from system32 Harlan Carvey (Oct 15)
- Re: 1,800 files missing from system32 Joe Blatz (Oct 15)
- <Possible follow-ups>
- RE: 1,800 files missing from system32 Scott Fuhriman (Oct 15)
- RE: 1,800 files missing from system32 Joe Blatz (Oct 15)
- Re: 1,800 files missing from system32 Harlan Carvey (Oct 14)