We have a SBS 2003 server and recently there have been a number of spam files (all .exe files like PORN.EXE and SEXY.EXE) that are being written to a common data shared folder on the server. This is malware, I'm sure but I cannot figure out what system is creating these files (the server itself is clean.)
How can I tell what machine (or IP) is responsible for saving these files on the server? I've tried to setup an AUDIT of the folder but I'm not getting any results for saving and deleting files...only access/logon info.
Is there a way to determine what machine (or user) is saving/creating these files?
Install our File Auditing product FileSure (www.bystorm.com) and configure it to watch for the creation of *.exe files. There's a 21 day trial which should give you enough time to find your culprit without having to spend any money. :)
You're requirement is close to PCIDSS and here's a short video about it: http://www.bystorm.com/resources-videos.html#!prettyphoto/45/
Thursday, January 03, 2013 3:06 PM
- Marked as answer by ISD-PC-MAN Thursday, January 03, 2013 10:05 PM
Make sure the "Audit Object Access" policy has been applied to the server where the share folder resides. Run GPresult, RSOP on the file server to verify. The logon success/failure events you’ve seen are Windows pre-defined in Security Events. Force your Antivirus software to run full scan on all servers and clients.
By the way, for SBS server questions, please ask in SBS forum.
Event ID's 560 & 4656 are used to identify file/folder creation in windows 2003 server & Win server 2008 respectively.
The below are the useful links for your reference
- What is the Event id for File & folder creation in Window Server 2008: http://social.technet.microsoft.com/Forums/en-CA/winservergen/thread/8779ad6d-80c7-40ee-95d8-343131880863
- Audit file/folder share: http://www.techrepublic.com/article/step-by-step-how-to-audit-file-and-folder-access-to-improve-windows-2000-pro-security/5034308
Why don't you go for file screening option to stop recording of un needed files in file share based on file extension (*.exe).
- I suggest you check this article once to know more about File Screening Management Scenarios:http://technet.microsoft.com/en-us/library/cc755013(v=ws.10)#BKMK_FGS1
- Another useful link for Screening Files:http://technet.microsoft.com/en-us/library/cc732349(v=ws.10)#BKMK_MonitorFS
Regards, Ravikumar P
In addition, I am not sure about SBS 2003 but you can also configure File Screening to prevent *.exe files to be copied on the server as an additional protective measure.
Have a look at this and see if it helps:
I'm very happy to report that I installed the FileSure app, configured a filter to audit file creation and deletion (only) and discovered, within 8 minutes, the infected machine. This worked great! Thanks for the heads up on the tool. We will undoubtedly add this to our toolkit.
THis is SBS 2003, not 2008. I will read these, however, as we have 2008 servers out there, too. But honestly, in the time it took to read the first article we had the sofware installed, configured and were on our way to finding the malicious workstation.