Windows server 2003 issue / NTLDR missing

[ByTeWrangler]

Hey Guys,

It's been Long time.. .. I have a windows 2003 server (Ent edition) with 7500 computers in it.. There is one single OU for local branch computers with one computer from all branches going to a different OU (252 total).

We use Ghost for hard-disk replication and installation. Our image is updated once a year (dont ask).. All of a sudden from last 2 weeks every machine that is ghosted and added back into the domain gives NTLDR missing problem. After few boot's all files in root folder (Esp. EXE files) are deleted and even files from %program files% folder start getting deleted (only EXE)..

We have scanned all our controllers (5 in total) for any malware and have found nothing, we have a trend team with us 24x7 who have also found nothing (i don't trust trend any more though), I have scanned all the controllers with online scanners and still nothing.

As of now all ghosting is stopped. But I know this is not the solution. I have ghosted machines in the lab and not added them into the domain and they work perfectly. No issue's at all. I am currently doing more testing. I have planned to add newly ghosted machines into OU created for administrator machines at the branch to isolate the "normal machine" OU as the cause.

Till then if anyone can help I would really appreciate it.

[Cemetric]

Well, the first thing that springs to mind is the DEP of Windows messing things up. It's been known to have caused problems before with Ghost.

Other then that ... Good question

[dinowuff]

To expand upon what CEM said:

Like AV software, you can tell Ghost not to set DEP settings or ignore (Can't remember) So do you have a new admin or Ghost admin changing settings?

[ByTeWrangler]

DEP.. Are you sure ? While I'm not questioning what you guys are saying but it sounds weird since the machine works well with the same ghost image in different OU..

And second thing is we have intel 4's (old one's before HT ) so obviously they dont support hardware based DEP..

I am sure its the OU.. but is there anyway or utility that i can use to isolate the script on the server..

We have like 100 scripts and the old ****ing admin didnt delete any .. so I have like 500 to go through.... KILL THAT GUY !

:S


Anyway thanks for helping out..

[ByTeWrangler]

****ing..

we have slang protection enabled now ?

Man some updates are never good.. who tested this patch ?

[ByTeWrangler]

sucker

testing if this one works.

if it does, last admin was a sucker and assclown.

Thank you

/end frustration/

[Cemetric]

So the newly ghosted pc's are added to the domain automatically and put in the designated OU as well ?

Do you monitor the Policy tool, there must have changed something, you can backtrack if you monitor it.

[ByTeWrangler]

I was handed the server few weeks back.. almost a day or two before the problem was first reported.. We took it as virus but I was curious since the machine's were freshly ghosted.. I haven't made any changes to the server policies.. I haven't even seen any changes being made by someone else (2 more people can apply changes to the server)..

I was in the ISM team (information security management) and was handed this server due to high number of attacks reported from this domain..

Anyway, moving on I see lot's of automated attacks (virus or scripts i guess) and few distinct entries since they were familiar usernames, either of people at high level or of people actually administering the server.. As of now Microsoft guys have found the fault as one of the scripts that was used to clear all temp files after a user logs off.. but this script has been in place for years now and i am not sure how it created all this out of the blue..

I am really confused about the error issue..

Other then that.. network is infected.. more then infected.. Trojans all over..

Trend is doing piss poor here.. really..

Out of 5 controllers for this domain, I have taken one offline and will take it apart tomorrow.. anyone with any help what do to next can tell me.. I will start off with familiar usernames logon attempts and then take the originating machine(s) for analysis.

[Cemetric]

Crap ... sounds like a fun job .

Trend Micro is loosing it's credibility with me to, I'm a level 3 Trend Micro, but the guy teaching the classes to become it was a real ass hat ...

Anyway ... I'd state the obvious, clone the server, and do all necessary Forensic research ... I like this CD for that: http://www.lnx4n6.be/index.php?sec=D...ds&page=bootcd

The site sucks, but the CD's are good

[ByTeWrangler]

Yeah.. This is my first job.. after a year I have learnt 2 things. 1. No one gives a **** about data / security until theirs is stolen. 2. Politics is the biggest thing out there.

Fcuk that though..

I need some pointers on HDD replication.. I will be taking down one controller and will replicate its HDD.. I will use the CD that you have linked to.. but is there a possibility that you can help me jump start this.. I am going over the documentation right now.. but if I wanna copy (without altering, ofcourse) entire HDD.. then ?

http://www.lnx4n6.be/index.php?sec=D...&page=netcatdd

But I am having issue's with this since I'm planning to use it on a virtual machine on my laptop with vista..(microsoft virtual PC 2007 SP1)..


HELP >.<..