August 1st, 2005, 11:09 AM
I have a server (file server), that is disappearing some files, such some important folders, i guess its not a virus, because the anti-virus server those not acuse anything, and the folders that are deleted are very important, the less important files are not missing. So my best guess is someone inside the company, that knows what to delete to injure the company.
I would like you guys to point me a software that is able to create logs of the deleted files and folders, access, modifications, stuff like that, i have tryied the auditor from win2003 server, but i don't think i logs the deleted files.
And i want this logs to tell me, how is the login that is deleting files.
August 1st, 2005, 02:27 PM
I am fairly sure that by activating the audits on the server you should be able to see who is deleteing the files. It should be shown in your security log file. You should only activate the audits you need, in this case file deletion, or your logs will fill up fairly quickly.
\"America is the only country that went from barbarism to decadence without civilization in between.\"
\"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
August 1st, 2005, 03:25 PM
You may also want to take an audit of permissions and users within your organisation. If you have someone deleting files there is a good chance they don't have a legitimate need or business requirement to access them in the first place. An audit of who can access what may reveal the answer as to who is deleting these files if you see some permission that users shouldn't have. It is also a reasonable practice to undergo if you experience these sort of events too.
August 2nd, 2005, 03:30 AM
My big problem, is the person that i suspect, it must have access to all of these files, i will try to use the windows audit
August 2nd, 2005, 05:35 AM
You should think about what happened, then you should scan comstumer's Ip and track them all download and think of where it would mostlikely be.
August 2nd, 2005, 11:36 AM
You should be able to set user permissions so that they can access files and folders, but not delete them.
You should have done this in the first place, as no user should have access or authority in excess of that which they need to perform their job. I would recommend that you review your security model in some depth.
Remember that most of the user created problems you come across are a result of errors and ignorance rather than malicious intent. It is your job to make sure that they do not have the opportunity.
August 2nd, 2005, 12:51 PM
We use a package called Undelete on our file servers, keeps the files so that they can be recovered easily and also lets you know who deleted them www.undelete.com.
August 2nd, 2005, 09:16 PM
Just read this
Could it be????
What it does: Killfiles is the simplest sort of Trojan horse, a Windows batch file that deletes specific key system file. It is sometimes used by other Trojans to disable a computer. Killfiles is not a widely-distributed threat.
How people treat you is their karma- how you react is yours-Wayne Dyer
August 2nd, 2005, 10:12 PM
Make sure you disable/delete any default accounts that are not in use from installation (i.e. user, administrator, etc.). This provides a simple loophole for someone to just get in and do whatever they want based on someone else's oversight.
And so at last the beast fell and the unbelievers rejoiced. But all was not lost, for from the ash rose a great bird. The bird gazed down upon the unbelievers and cast fire and thunder upon them. For the beast had been reborn with its strength renewed, and the followers of Mammon cowered in horror. -from The Book of Mozilla, 7:15
August 3rd, 2005, 10:41 AM
This is a person who works here that is deleting, i don't have any virus, or worms. I didn't have a security breach. I suspect of a person, because she is an "ignorant" in computers, maybe by mistake she deleted those folders, but din't warn me, or she is doing this on purpose(she have some personal resons for it, she was recently demoted), and recently folders have been missing.
Thanks god for the Tapes, i have been able to restore all the deleted data.
I have moving around the system, and i got to the "effective Permissions", i can and a user and try to uncheck the Delete Box, this should take the delete privileges. but all the Boxes are Gray, i can't move, and i must to this, folder by folder. Is there a way, where i can get everyone inside a Undelete group, and take the delete privileges?
Thanks for all the replys