Windows server 2003 issue / NTLDR missing
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Windows server 2003 issue / NTLDR missing

  1. #1
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003

    Windows server 2003 issue / NTLDR missing

    Hey Guys,

    It's been Long time.. .. I have a windows 2003 server (Ent edition) with 7500 computers in it.. There is one single OU for local branch computers with one computer from all branches going to a different OU (252 total).

    We use Ghost for hard-disk replication and installation. Our image is updated once a year (dont ask).. All of a sudden from last 2 weeks every machine that is ghosted and added back into the domain gives NTLDR missing problem. After few boot's all files in root folder (Esp. EXE files) are deleted and even files from %program files% folder start getting deleted (only EXE)..

    We have scanned all our controllers (5 in total) for any malware and have found nothing, we have a trend team with us 24x7 who have also found nothing (i don't trust trend any more though), I have scanned all the controllers with online scanners and still nothing.

    As of now all ghosting is stopped. But I know this is not the solution. I have ghosted machines in the lab and not added them into the domain and they work perfectly. No issue's at all. I am currently doing more testing. I have planned to add newly ghosted machines into OU created for administrator machines at the branch to isolate the "normal machine" OU as the cause.

    Till then if anyone can help I would really appreciate it.


    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  2. #2
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    Well, the first thing that springs to mind is the DEP of Windows messing things up. It's been known to have caused problems before with Ghost.

    Other then that ... Good question
    Back when I was a boy, we carved our own IC's out of wood.

  3. #3
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,251
    To expand upon what CEM said:

    Like AV software, you can tell Ghost not to set DEP settings or ignore (Can't remember) So do you have a new admin or Ghost admin changing settings?
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  4. #4
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    DEP.. Are you sure ? While I'm not questioning what you guys are saying but it sounds weird since the machine works well with the same ghost image in different OU..

    And second thing is we have intel 4's (old one's before HT ) so obviously they dont support hardware based DEP..

    I am sure its the OU.. but is there anyway or utility that i can use to isolate the script on the server..

    We have like 100 scripts and the old ****ing admin didnt delete any .. so I have like 500 to go through.... KILL THAT GUY !

    :S


    Anyway thanks for helping out..
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  5. #5
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    ****ing..

    we have slang protection enabled now ?

    Man some updates are never good.. who tested this patch ?
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  6. #6
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    sucker

    testing if this one works.

    if it does, last admin was a sucker and assclown.

    Thank you

    /end frustration/
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  7. #7
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    So the newly ghosted pc's are added to the domain automatically and put in the designated OU as well ?

    Do you monitor the Policy tool, there must have changed something, you can backtrack if you monitor it.
    Back when I was a boy, we carved our own IC's out of wood.

  8. #8
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    I was handed the server few weeks back.. almost a day or two before the problem was first reported.. We took it as virus but I was curious since the machine's were freshly ghosted.. I haven't made any changes to the server policies.. I haven't even seen any changes being made by someone else (2 more people can apply changes to the server)..

    I was in the ISM team (information security management) and was handed this server due to high number of attacks reported from this domain..

    Anyway, moving on I see lot's of automated attacks (virus or scripts i guess) and few distinct entries since they were familiar usernames, either of people at high level or of people actually administering the server.. As of now Microsoft guys have found the fault as one of the scripts that was used to clear all temp files after a user logs off.. but this script has been in place for years now and i am not sure how it created all this out of the blue..

    I am really confused about the error issue..

    Other then that.. network is infected.. more then infected.. Trojans all over..

    Trend is doing piss poor here.. really..

    Out of 5 controllers for this domain, I have taken one offline and will take it apart tomorrow.. anyone with any help what do to next can tell me.. I will start off with familiar usernames logon attempts and then take the originating machine(s) for analysis.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  9. #9
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    Crap ... sounds like a fun job .

    Trend Micro is loosing it's credibility with me to, I'm a level 3 Trend Micro, but the guy teaching the classes to become it was a real ass hat ...

    Anyway ... I'd state the obvious, clone the server, and do all necessary Forensic research ... I like this CD for that: http://www.lnx4n6.be/index.php?sec=D...ds&page=bootcd

    The site sucks, but the CD's are good
    Back when I was a boy, we carved our own IC's out of wood.

  10. #10
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    Yeah.. This is my first job.. after a year I have learnt 2 things. 1. No one gives a **** about data / security until theirs is stolen. 2. Politics is the biggest thing out there.

    Fcuk that though..

    I need some pointers on HDD replication.. I will be taking down one controller and will replicate its HDD.. I will use the CD that you have linked to.. but is there a possibility that you can help me jump start this.. I am going over the documentation right now.. but if I wanna copy (without altering, ofcourse) entire HDD.. then ?

    http://www.lnx4n6.be/index.php?sec=D...&page=netcatdd

    But I am having issue's with this since I'm planning to use it on a virtual machine on my laptop with vista..(microsoft virtual PC 2007 SP1)..


    HELP >.<..
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

Similar Threads

  1. Windows Error Messages
    By cheyenne1212 in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: February 1st, 2012, 02:51 PM
  2. Copying updates
    By Cider in forum Operating Systems
    Replies: 10
    Last Post: March 21st, 2006, 09:30 PM
  3. Using Vim basics
    By gore in forum Other Tutorials Forum
    Replies: 10
    Last Post: March 28th, 2005, 08:38 AM
  4. Newbies, list of many words definitions.
    By -DaRK-RaiDeR- in forum Newbie Security Questions
    Replies: 9
    Last Post: December 14th, 2002, 08:38 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •