Wyndows? Hacked?

[chrisk96x]

Good Day,

Recently one of my Windows 2003 SBS servers crashed. It was not a hardware crash - it was the OS itself. It was a mirrored system and both mirrors went down and were unbootable. I was able to Ghost the data from one the failed drives onto another HD. After reloading the OS as a new installation on the ghosted HD I noticed there was a folder called "wyndows" on the drive with a subfolder "system32". Both folders were empty.

Curiously they were created at just about the time I suspect the OS crashed; 21:11 on a Sunday night.

No one was in the building at that time and no users have access to the server or system drive on the server anyway.

We have a SonicWall TZ170 for a firewall. Port 3389 (terminal server) was open on the firewall and was being directed to a workstation PC on the network, but Remote Desktop was disabled on that workstation at the time. Port 443 was also open on the firewall but was protected by a strong password. The firewall logs show nothing. No other ports were open.

My question is; In your opinion did I somehow get hacked? and if so did the hacker leave behind the "wyndows" folder as a taunt? Has anyone else ever seen this?

Thanks for reading.

ChrisK

 

[Grenage]

I've not seen that before, but would be suspicious of a virus over a successful hacking attempt. Hackers generally like their machines to stay working.

Consider running a full virus scan with current definitions.


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[chrisk96x]

Thanks for the response.

I was running up to date Trend Micro Client/Server Anti virus on this particular machine. It's the first time I've tried TM so it has no track record with me. I usually use Norton or McAfee Corporate.

Thanks again.

ChrisK

 

[Grenage]

It might be worth running some other scanners across it, AVG or free online scanners. It could be some sort of malware/spyware I suppose; spybot etc could identify that.

I'd be interested to know if you do find anything that might have been the cause.


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[chrisk96x]

Granage,

Thanks.

I'll post back if anything worthwhile surfaces.

ChrisK

 

[chiph]

Did anyone plug a USB memory key into those machines recently?

Chip H.


____________________________________________________________________
If you want to get the best response to a question, please read FAQ222-2244 first

 

[chrisk96x]

Chip,

I will occasionally plug mine in although I don't recall doing so recently.

Whether someone else did or not I can't say. The server is in a limited access room but people do come and go from there. The room doubles as die storage (this is a screen printing company) so the guys that work the factory floor have access to the room if they need it.

Are you thinking a virus was introduced to the system via USB?

ChrisK

 

[SamBones]

Anything is possible if a lot of people have physical access to the machine. If you can't put it into a room that you can secure, you should at least put it into a lockable rack.