0

We have a Windows 2003 development server (IIS and SQL Server) with remote desktop access and some employees have admin rights.

A couple weeks ago, a lot of important files (dlls, exes, msc and other stuff) disappeared from the system32 directory. The server is barely running (lots of errors!!!) and we are currently setting up another one.

I assume that someone did it since I did a virus scan with Trend Micro and everything looks fine.

How can I find who or what did this to our server?

Jason
  • 135
  • 6
  • Assuming it was done internally, instead of going on a witch hunt for something that was probably accidental, wouldn't you be better channeling your efforts into re-thinking your policies so this kind of thing can't happen again? But can you be sure it happened internally? Are you absolutely sure you aren't dealing with a compromised system, because a clean virus scan is pretty inconclusive! – Bryan Feb 09 '11 at 23:42

3 Answers3

5

The only way to catch this kind of stuff is to have file-level auditing already in place. After the fact, you can't find out. That kind of auditing is horrendously spammy and pretty much requires some kind of third party log aggregation/analysis engine.

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
0

If you can narrow it down based on when the errors first appeared in your event log, you may be able to check login/logout events to see who was logged in around the time that the problem started. This won't help if the delete happened through a network share.

Fred
  • 396
  • 1
  • 1
  • I already checked the event log for clues, but it has been cleared since the errors started to appear. No luck I guess... – Jason Feb 08 '11 at 18:30
0

In the meantime, you may be able to use the repair function to repair the installation rather than setting up a new server.

spenser
  • 72
  • 2
  • We tried "sfc /scannow" with no success and I am afraid to reboot the server since I am really not sure it will ever boot again without reinstalling. – Jason Feb 09 '11 at 01:00