How to Prevent Virus from Changing Read-Only and Hidden Attributes on Files Folders?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
We have our Windows 2003 servers fairly locked down by NTFS, and when a user
browses the Internet they are logged in as an ordinary user with minimal
access to the file system.   So imagine my horror to see that a virus was
able to change every single file and folder on the file system to be
read-only and hidden, apparently using the attributes for files that are
affected by the ATTRIB commandline command.

Is the ability to use ATTRIB controlled by NTFS permissions?   Or is this
the Write Attributes permission in NTFS?   Unfortunately we probably did
enable that because it was generating too many false positive audit
messages.

The command

    attrib -h -r *.* /s /d

apparently does NOT affect all folders under the current folder.   Is there
a command that can be used that would change every file and folder from the
current location and down all subtrees?

Is there any utility that would restore any critical system files and
folders to their original attributes?

--
W



Re: How to Prevent Virus from Changing Read-Only and Hidden Attributes on Files Folders?

Crossposted from microsoft.public.windows.server.general


Quoted text here. Click to load it


Re: How to Prevent Virus from Changing Read-Only and Hidden Attributes on Files Folders?


| Crossposted from microsoft.public.windows.server.general
|
Quoted text here. Click to load it

A virus didn't hide files and folders, a System Fix trojan or other rogue
malware did.

If I understand this post, a user was ALLOWED to browse the Internet from
the POC of the Win2003 Server.  If that was the case that was the mistake.
Nobody, users or administrators should be browsing on a server platform.
This is disrepecting the role of the server.  A System Fix type trojan is
bad enough but that kind of behavioour (which should never be alloewd on a
server) coold have had more disaterous effects.

The first think to do is find and eliminate the System Fix type trojan and
then use Lawrence Abrams' (aka; Grinler) Unhide utility.
http://download.bleepingcomputer.com/grinler/unhide.exe

The Server may have to be booted in Safe Mode such that the trojan isn't
loaded.  Note also do NOT dump TEMP folders prior to running Unhide.  Unhide
may also be executed in Safe Mode.


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: How to Prevent Virus from Changing Read-Only and Hidden Attributes on Files Folders?


Quoted text here. Click to load it

It really depends on the role of this particular server. If it's a
terminal server, then this could be well within it's designed usage
scope.

Re: How to Prevent Virus from Changing Read-Only and Hidden Attributes on Files Folders?


|
Quoted text here. Click to load it
|
| It really depends on the role of this particular server. If it's a
| terminal server, then this could be well within it's designed usage
| scope.

Browsing the Internet should not be within an accepted scope of the use of a
Terminal Server session.

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: How to Prevent Virus from Changing Read-Only and Hidden Attributes on Files Folders?


Quoted text here. Click to load it

Why not?

Re: How to Prevent Virus from Changing Read-Only and Hidden Attributes on Files Folders?


|
Quoted text here. Click to load it
|
| Why not?

Browsing should be done on the client machine (workstation) and *never* done
on a Server because the chances of malware infections (infestation for you
Kurt) are increased significantly and this would be isolated to a
workstation (client).  An infection on a Server affects all users and their
ability to use the services that Server provides.  Thus a violation of the
role of the Server.  One can simply state it reduces its IA status.


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: How to Prevent Virus from Changing Read-Only and Hidden Attributes on Files Folders?


Quoted text here. Click to load it

A virus would prefer the users allow it access to the server. Makes it's
life alot easier from an infection POV. [g]


--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts

Re: How to Prevent Virus from Changing Read-Only and Hidden Attributes on Files Folders?

Quoted text here. Click to load it

The Windows 2003 server in question is actually an individual's personal
workstation.   He prefers to use Server for many reasons as his workstation,
and one of those reasons is the ability to come in by Terminal Services
without disrupting the console session.

To be honest, this malware would have done minimal damage had we just not
allowed the Users group to have Write Attributes permissions on such a wide
file system scope.    We had allowed that because so many applications give
security error log messages after attempting to change an attribute that it
rendered logging very cumbersome.    We clearly didn't understand the
implication of that setting and now we do.    So no user should have global
Write Attributes.   Check. :)

Other than that, the virus was only able to change files and add new files
inside the user's profile folder.   We simply deleted that folder and had
the user login fresh to create a new profile folder.   That at least
contained the initial active part of the infection, and we'll have to
continue with other utilities later.


Quoted text here. Click to load it

All of those utilities look useful thanks.

I could not get the MS Standalone Sweeper to create a standalone CD.   It
gives an error when trying to write the CD that has no error code and simply
indicates it cannot continue.     Amazing that it took MS 10 years to
finally understand that to beat a virus effectively you should boot from a
dedicated uninfected OS, without invoking the OS of system under test.
Better late than never, assuming I can ever get it to work.

--
W



Re: How to Prevent Virus from Changing Read-Only and Hidden Attributes on Files Folders?


 
Quoted text here. Click to load it

It's only important from proper anaylsis, recovery and future
prevention. In your case tho, nothing. :)
 
Quoted text here. Click to load it

You underestimate the ability for a virus to acquire sufficient rights
on a poorly secured system. Don't assume IP policy is perfect if the OS
has other problems, I have little doubt they do at this point.
 
Quoted text here. Click to load it

When you mentioned using a server OS for a workstation, that was very
helpful in determining your competency as an administrator. Adding that
you allowed surfing on the server was only icing on the cake.
 
Quoted text here. Click to load it

They're well known amongst many security/pc techie circles.
 



--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts

Re: How to Prevent Virus from Changing Read-Only and Hidden Attributes on Files Folders?

Quoted text here. Click to load it

An OS is an OS, and you do or do not secure it.    Whether a given OS is
used as a personal workstation or not is a function of its assigned use, and
it is not a function of the other possible uses of the OS.    The fact that
a Windows Server *could* be used as a server does not mean it *must* be used
as a server.   If in fact only one user uses the server, functionally it
stops being a server and in terms of its role it performs like a
workstation.

Any argument starts from the Premise "Computer A is a Windows Server" and
ends with the conclusion "Therefore Computer A must be shared by a group of
people and perform in the role of a Server" is an invalid argument.

--
W



Re: How to Prevent Virus from Changing Read-Only and Hidden Attributes on Files Folders?


Quoted text here. Click to load it

If that suits you, fine by me. :)
 


--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts

Re: How to Prevent Virus from Changing Read-Only and Hidden Attributes on Files Folders?

"Peter Foldes" wrote:

Quoted text here. Click to load it

Yes it does.

Quoted text here. Click to load it

Yes, attrib, just as you show above works fine. Maybe it doesn't work
on your system because of the permissions you set (which the malware
bypassed or temporarily reset) or because the malware is still active
and preventing any change.

And as has been said, WTF are you doing browsing the internets from a
server?



Site Timeline