Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Hack?


  • Please log in to reply
4 replies to this topic

#1 LantechSolutions

LantechSolutions

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 12 March 2017 - 03:08 PM

I have a client that we have had some strange issues. When I took them over from a friend that is retiring, they had just been hit with a ransomeware virus. I was able to get them back to a running state again but not without paying the ransome as they did not have a good backup.I have since fixed the backup situation and hopefully blocked any new ransomware invasions. We had an issue the other day where the office manager told me that they had just randomly lost directories under their working cases (law firm). I investigated the issue and could only find an issue with the DFS setup to the old server. In the process of investigation I started just checking all the systems. The real issue that bothers me is that on my SonicWall I started seeing blocked connections from Russia to the firewall which is not unusual from the outside but then I have the managing partner's Mac trying to reach Russia from within the network. What I was wondering is what can I use to check and see what is trying to call out on the Mac? I am fluent on Windows and Linux but not the Mac. Like I said this client is the nervous type and always thinks that they being hacked.



BC AdBot (Login to Remove)

 


#2 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:05:06 PM

Posted 12 March 2017 - 05:45 PM

First thing i would have done mate is rebuild the entire server from scratch, also note that if using DFRS as drive maps using FQDN, then you would see all deleted files in the dfsrprivate folder. otherwise they might be in the conflicted folder.

Have you check the task scheduler? First place i would look and also any running services that may be infected.



#3 LantechSolutions

LantechSolutions
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 12 March 2017 - 06:19 PM

I mentioned with the client that I would have liked to have started from scratch but I was shut down. I only mentioned the DFRS because it was having errors at the exact time of the missing files. I was getting a highwatermark error in the staging area. The previous tech setup the DFRS to sync between the old server and the new one. I do not need the old server so I shut off the DFRS on the main server. As far as the scheduler, I have checked it but I do not see anything out of the normal. I did see one thing about the Mac. The Mac is running Parallels and the Kaspersky client. Do you think that the Kaspersky client is calling home? Kasperkey is a Russian made product. It is doing a check every 30 minutes to 62.128.100.84. Thanks for all the help.



#4 LantechSolutions

LantechSolutions
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 12 March 2017 - 06:27 PM

Just answered one of my questions. Kaspersky owns the ip address. Glad I found that out. Now would the DFRS cause you to loose files. I didn't see them in the deleted or the conflict. I even checked the old restore points and didn't find them. Very strange.



#5 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:05:06 PM

Posted 12 March 2017 - 10:05 PM

I would say that the malware would have deleted all the snapshots using vssadmin mate.

Check to see who the primary is with DFSR (Change the part after rgname)

Dfsradmin Membership List /RGName:FQDN\Share\folder /attr:MemName,RFName,IsPrimary

You say you shut down the old DFSR replicator, so i assume you dont need DFSR now with just one server!

 

Also if they refuse to do a full rebuild, then they need to know the consequences hey LOL.

No one wants to spend $ on backups or disaster recover until it happens and then of course its always too late.


Edited by JohnnyJammer, 12 March 2017 - 10:06 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users