Security Incidents mailing list archives
RE: 1,800 files missing from system32
From: Joe Blatz <sd_wireless () yahoo com>
Date: Fri, 15 Oct 2004 07:08:26 -0700 (PDT)
A couple of people have pointed out that this could be a malicious insider. Based on the information I provided I think that is a highly valid response. What I failed to mention is that these sites are very isolated from each other and do not share any common administrators. The security model in place is based mostly on the NSA Windows 2000 guides and far exceeds the OOB security configuration of W2k. AV software is set to quarantine infected software. I had one person respond back that he had seen similiar behavior (with only 35 files deleted) caused by Veritas Backup Exec. I'm hoping to get more details. Thanks to everyone who has replied thus far, and any other suggestions on how to track down what is causing this would be most welcome. --- MMoll <MMoll () finance nyc gov> wrote:
There are 2 things that come to mind as check point items..... a. Evaluate the distribution of admin ID's in the production environment. Best practice is a seperate human ID for every day use from admin ID's used for admin work. Point of this is that apparently, the benifet of system ACL's are not being realized, and could be a factor in the high amount of infected files. In a secure production environment, it is difficult for a domain controller to have file damage due to intursionary processes. evaluate the security model being used, legacy, enterprise, high security, or none.....see microsofts site reference to security guides and templates. b. Check the settings on the virus software. setting the action to deny access and continue scanning, is more desireable than to delete files upon dection of intrusionary processes. My belief is that someone using an admin enabled human ID, is the root cause.
_______________________________ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com
Current thread:
- 1,800 files missing from system32 Joe Blatz (Oct 14)
- Re: 1,800 files missing from system32 Harlan Carvey (Oct 14)
- Re: 1,800 files missing from system32 Joe Blatz (Oct 15)
- Re: 1,800 files missing from system32 Harlan Carvey (Oct 15)
- Re: 1,800 files missing from system32 Joe Blatz (Oct 15)
- <Possible follow-ups>
- RE: 1,800 files missing from system32 Scott Fuhriman (Oct 15)
- RE: 1,800 files missing from system32 Joe Blatz (Oct 15)
- Re: 1,800 files missing from system32 Harlan Carvey (Oct 14)