Examining a compromised server.
I'll be working on 31st it seems. I was on audit and found that while running a quick scan on a critical server there were lot of files that were being scanned (mostly with sys extension) but when I ran a search for the same files, I couldnít find anything. I was sort of expecting that because file names are hide_evr2.sys which according to lot places is a rootkit. Now the nature of the server is "extremely critical". Seeing this server compromised to an extent that Symantec Endpoint can see the file but can't detect it (I am not sure if they have def's for it but in any case it's freaking out stuff).
I'm writing this at a point where Iím finding almost every server I examine with the same malware so Iíll come down to the question
What should be my next step in examining the server?
Please note that we don't have a "real" incident response team or plan. I know my next level of escalation and I will be doing that accordingly. My question simply is how I examine these server from here on. I will of course create a copy of the HDD and examine there so beyond that please let the suggestions flow.
I know this case is related to malware infection only but Iíve started it in Microsoft Security Discussions the reason being itís a server running windows OS (2003) and this thread may server as a point of reference.
PS: Thanks a lot and HAPPY NEW YEAR IN ADVANCE.