How to Prevent Virus from Changing Read-Only and Hidden Attributes on Files Folders?

We have our Windows 2003 servers fairly locked down by NTFS, and when a user
browses the Internet they are logged in as an ordinary user with minimal
access to the file system. So imagine my horror to see that a virus was
able to change every single file and folder on the file system to be
read-only and hidden, apparently using the attributes for files that are
affected by the ATTRIB commandline command.

Is the ability to use ATTRIB controlled by NTFS permissions? Or is this
the Write Attributes permission in NTFS? Unfortunately we probably did
enable that because it was generating too many false positive audit
messages.

The command

attrib -h -r *.* /s /d

apparently does NOT affect all folders under the current folder. Is there
a command that can be used that would change every file and folder from the
current location and down all subtrees?

Is there any utility that would restore any critical system files and
folders to their original attributes?

--
W

On Tue, 17 Jan 2012 01:49:56 -0800, "W" <>
wrote:

>We have our Windows 2003 servers fairly locked down by NTFS, and when a user
>browses the Internet they are logged in as an ordinary user with minimal
>access to the file system. So imagine my horror to see that a virus was
>able to change every single file and folder on the file system to be
>read-only and hidden, apparently using the attributes for files that are
>affected by the ATTRIB commandline command.
>
>Is there any utility that would restore any critical system files and
>folders to their original attributes?

It sounds like you might need a tool called unhide.exe.
<http://www.bleepingcomputer.com/forums/topic405109.html>

Crossposted from microsoft.public.windows.server.general


"W" <> wrote in message
news: ...
> We have our Windows 2003 servers fairly locked down by NTFS, and when a user
> browses the Internet they are logged in as an ordinary user with minimal access to
> the file system. So imagine my horror to see that a virus was able to change
> every single file and folder on the file system to be read-only and hidden,
> apparently using the attributes for files that are affected by the ATTRIB
> commandline command.
>
> Is the ability to use ATTRIB controlled by NTFS permissions? Or is this the
> Write Attributes permission in NTFS? Unfortunately we probably did enable that
> because it was generating too many false positive audit messages.
>
> The command
>
> attrib -h -r *.* /s /d
>
> apparently does NOT affect all folders under the current folder. Is there a
> command that can be used that would change every file and folder from the current
> location and down all subtrees?
>
> Is there any utility that would restore any critical system files and folders to
> their original attributes?
>
> --
> W
>

From: "Peter Foldes" <>

| Crossposted from microsoft.public.windows.server.general
|
| "W" <> wrote in message
| news: ...
>> We have our Windows 2003 servers fairly locked down by NTFS, and when a
>> user browses the Internet they are logged in as an ordinary user with
>> minimal access to the file system. So imagine my horror to see that a
>> virus was able to change every single file and folder on the file system
>> to be read-only and hidden, apparently using the attributes for files
>> that are affected by the ATTRIB commandline command.
>>
>> Is the ability to use ATTRIB controlled by NTFS permissions? Or is this
>> the Write Attributes permission in NTFS? Unfortunately we probably did
>> enable that because it was generating too many false positive audit
>> messages.
>>
>> The command
>>
>> attrib -h -r *.* /s /d
>>
>> apparently does NOT affect all folders under the current folder. Is
>> there a command that can be used that would change every file and folder
>> from the current location and down all subtrees?
>>
>> Is there any utility that would restore any critical system files and
>> folders to their original attributes?
>>

A virus didn't hide files and folders, a System Fix trojan or other rogue
malware did.

If I understand this post, a user was ALLOWED to browse the Internet from
the POC of the Win2003 Server. If that was the case that was the mistake.
Nobody, users or administrators should be browsing on a server platform.
This is disrepecting the role of the server. A System Fix type trojan is
bad enough but that kind of behavioour (which should never be alloewd on a
server) coold have had more disaterous effects.

The first think to do is find and eliminate the System Fix type trojan and
then use Lawrence Abrams' (aka; Grinler) Unhide utility.
http://download.bleepingcomputer.com/grinler/unhide.exe

The Server may have to be booted in Safe Mode such that the trojan isn't
loaded. Note also do NOT dump TEMP folders prior to running Unhide. Unhide
may also be executed in Safe Mode.


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

In message <> someone
claiming to be "David H. Lipman" <DLipman~nospam~@Verizon.Net> typed:

>If I understand this post, a user was ALLOWED to browse the Internet from
>the POC of the Win2003 Server. If that was the case that was the mistake.
>Nobody, users or administrators should be browsing on a server platform.
>This is disrepecting the role of the server.

It really depends on the role of this particular server. If it's a
terminal server, then this could be well within it's designed usage
scope.

From: "Dave Warren" <dave->

| In message <> someone
| claiming to be "David H. Lipman" <DLipman~nospam~@Verizon.Net> typed:
|
>> If I understand this post, a user was ALLOWED to browse the Internet from
>> the POC of the Win2003 Server. If that was the case that was the
>> mistake.
>> Nobody, users or administrators should be browsing on a server platform.
>> This is disrepecting the role of the server.
|
| It really depends on the role of this particular server. If it's a
| terminal server, then this could be well within it's designed usage
| scope.

Browsing the Internet should not be within an accepted scope of the use of a
Terminal Server session.

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

In message <> someone
claiming to be "David H. Lipman" <DLipman~nospam~@Verizon.Net> typed:

>From: "Dave Warren" <dave->
>
>| In message <> someone
>| claiming to be "David H. Lipman" <DLipman~nospam~@Verizon.Net> typed:
>|
>>> If I understand this post, a user was ALLOWED to browse the Internet from
>>> the POC of the Win2003 Server. If that was the case that was the
>>> mistake.
>>> Nobody, users or administrators should be browsing on a server platform.
>>> This is disrepecting the role of the server.
>|
>| It really depends on the role of this particular server. If it's a
>| terminal server, then this could be well within it's designed usage
>| scope.
>
>Browsing the Internet should not be within an accepted scope of the use of a
>Terminal Server session.

Why not?

From: "Dave Warren" <dave->

| In message <> someone
| claiming to be "David H. Lipman" <DLipman~nospam~@Verizon.Net> typed:
|
>> From: "Dave Warren" <dave->
>>
>|> In message <> someone
>|> claiming to be "David H. Lipman" <DLipman~nospam~@Verizon.Net> typed:
>|>
>>>> If I understand this post, a user was ALLOWED to browse the Internet
>>>> from
>>>> the POC of the Win2003 Server. If that was the case that was the
>>>> mistake.
>>>> Nobody, users or administrators should be browsing on a server
>>>> platform.
>>>> This is disrepecting the role of the server.
>|>
>|> It really depends on the role of this particular server. If it's a
>|> terminal server, then this could be well within it's designed usage
>|> scope.
>>
>> Browsing the Internet should not be within an accepted scope of the use
>> of a
>> Terminal Server session.
|
| Why not?

Browsing should be done on the client machine (workstation) and *never* done
on a Server because the chances of malware infections (infestation for you
Kurt) are increased significantly and this would be isolated to a
workstation (client). An infection on a Server affects all users and their
ability to use the services that Server provides. Thus a violation of the
role of the Server. One can simply state it reduces its IA status.


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

"Peter Foldes" wrote:

> Crossposted from microsoft.public.windows.server.general
> "W" wrote:
>> The command
>>
>> attrib -h -r *.* /s /d
>>
>> apparently does NOT affect all folders under the current folder.

Yes it does.

>> Is there a command that can be used that would change every file and
>> folder from the current location and down all subtrees?

Yes, attrib, just as you show above works fine. Maybe it doesn't work
on your system because of the permissions you set (which the malware
bypassed or temporarily reset) or because the malware is still active
and preventing any change.

And as has been said, WTF are you doing browsing the internets from a
server?

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:3rudnR0qL--:

> From: "Dave Warren" <dave->
>
>| In message <> someone
>| claiming to be "David H. Lipman" <DLipman~nospam~@Verizon.Net>
>| typed:
>|
>>> From: "Dave Warren" <dave->
>>>
>>|> In message <> someone
>>|> claiming to be "David H. Lipman" <DLipman~nospam~@Verizon.Net>
>>|> typed:
>>|>
>>>>> If I understand this post, a user was ALLOWED to browse the
>>>>> Internet from
>>>>> the POC of the Win2003 Server. If that was the case that was the
>>>>> mistake.
>>>>> Nobody, users or administrators should be browsing on a server
>>>>> platform.
>>>>> This is disrepecting the role of the server.
>>|>
>>|> It really depends on the role of this particular server. If it's a
>>|> terminal server, then this could be well within it's designed
>>|> usage scope.
>>>
>>> Browsing the Internet should not be within an accepted scope of the
>>> use of a
>>> Terminal Server session.
>|
>| Why not?
>
> Browsing should be done on the client machine (workstation) and
> *never* done on a Server because the chances of malware infections
> (infestation for you Kurt) are increased significantly and this would
> be isolated to a workstation (client). An infection on a Server
> affects all users and their ability to use the services that Server
> provides. Thus a violation of the role of the Server. One can
> simply state it reduces its IA status.
>
>

A virus would prefer the users allow it access to the server. Makes it's
life alot easier from an infection POV. [g]


--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts