Hi all,

Overnight a few files have vanished from my user profile on my server. - (it only seams to be mine however.)

There is nothing in event log, or any signs of anyone hacking or anything, However, I have a suspicion that it might be a backup program that was running at the same time.

I just wondered If i could have someone thoughts on this please. (Don't worry about data recovery help - Im handling that atm.

Shall I post HJL from both the subject server and my computer?

(If I was hacked, Im thinking that it was probably on my personal computer rather than on the server, because My computer was on overnight, and its only my stuff that seams to have gone (but not all of it)

It includes most of my music (bar one directory oldy), and some application settings. (Including winamp, and open office)


Any thoughts would be much appreciated, thanks.

Well, have just had a look through the HJL for my computer (not that im any expert with it) - and it looks okay to me.

However, I did remeber while doing tht, AVG popped up last night and said it had foind a Trojan!! - wouldn't let me remove so I popped it in the vault.

I just went to empty it, and there was another in there too. (See screen shot attached!)

Maybe thats the cause of the problem!!!?
Thanks.

p.s Just running AVG scan now on my comp.

A few files?
Is the folder still there?
Specific to a file type?
Other files still in the folder?
Anything in the trashcan?
Any of the file recovery tools showing the files deleted?
Search for the file(s) by name to see if they got moved somewhere?

Seems most curious.

Does your "server" have an outside connection like FTP or otherwise open to sharing of that particular folder?
When you mention "Profile", you mean your USER profile?
Is your USER PW protected Admin?

A few files?
Is the folder still there?
Specific to a file type?
Other files still in the folder?
Anything in the trashcan?
Any of the file recovery tools showing the files deleted?
Search for the file(s) by name to see if they got moved somewhere?

Seems most curious.

Does your "server" have an outside connection like FTP or otherwise open to sharing of that particular folder?
When you mention "Profile", you mean your USER profile?
Is your USER PW protected Admin?


Hi, and thanks for your post dbarrow.
The most noticeable directories missing is the winamp settings folder from my account. - And my music. The my music folder is still there. Inside that Dir. there is one which used to be there (now empty), and one other dir. which used to have about 50 other dirs in it (all with MP3 files within them.) There were also 5 wav/mp3 files just sitting in my 'My Docs' Dir. - These too have vanished! (bar one, which is empty!) - so yes, seems specifically music related (besides other application settings have bits of them missing)

There is nothing new in the server trash can - and the trash can on my client comp is disabled.

Nothing comes out of searching. :(
And yes, I do, currently, and unfortunately have a dangerous amount of pots open for ftp servers e.t.c on that specific server. And yes, the whole of my documents is on my FTP account.

Yes my account is password protected, and an Admin account!

Finally, I haven't got around to using recovery tools yet. My every-other nightly backup is just finishing doing the half yearly complete 50-hour backup! - and I happen to know that it was doing my documents last night (and so thats where my suspicion comes from on the backup lol)

Anyway, im just waiting for it to finish, and then hoping really hard that it has managed to grab My Doc's before they vanished! -otherwise, then its out with the recovery tools Lol!

Oh and the drive is showing up a good 20gb more free space (about the size of what has gone missing)

Thanks for the advise so far, sorry is my reponse is a bit jumbled, but I hope it answers your questions!

Thanks again.

ermm...well

I have just had a look back through the ftp server logs, and unfortunatly the system was so busy at that time anyway, The logs only go back 40mins! (5000 lines!)

I run malware bytes on the server (found 2 trojan in the reg.), and on my cmputer (found two more trojans.) - and also Im goking to change all my passwords, and re-vamp the backup system a bit (just encase it was that.)

But other than that, thankfully, it seams the backup has ot all my files in it, so thats restoring now.

Cheers

Having those folders exposed to the FTP is dangerous.
It is possible that someone found a back door and vacuumed the files off.
I have found an FTP server very handy to have for file transfer from time to time using MS IIS XP component with the FTP server.
1. I changed the default port, which is commonly known and routinely pinged. Accordingly, Port Forwarding in the router was set for the new port setting.
2. I restrict access of the FTP server to only designated upload and download folders, on a different drive and partition. When I want something available, I copy files temporarily into those folders.
3. Permissions for those folders is very restricted with read only rights except for my user.
4. FTP logon is user specific w/ password. I have to give you a username and pw before you can log on to the FTP.
5. I only activate the FTP when I have a specific need to transfer files.

Therefore: The server has to be turned on. You have to have a specific user name and PW as well as the correct port.
Once connected, you can only see the upload and download folders assigned. You have no permissions to alter the files, delete or move the files. The files are copies so even if you could delete, the source lives elsewhere. You can upload to the upload folder but I am the only one with permissions to do anything with any files uploaded to it and under a specific designated user logon that is not the same as other (network and User) or admin profiles for that machine.

The HD and partition that stores my big and years old music collection, much of which would be hard to replace, is routinely backed up to two other machines as well as daughter's machine, in another location, just as I keep a full backup of her library on mine.

right okay! - Thanks for that very useful info.

I think i will have to rework my FTP server a bit yes, but the problem is several programs/people I have need access to it 24/7. - Big security issue obviously!

Okay, so it looks like you are right in it either being a black door (or simmilar) - or just got hold of the password onto my ftp acount! (I have already extended the log about about 20,000 lines!)


Thanks a lot for your advice, it has been very useful. :)

Oh,, sorry I forgot to add!

-If I change the port of the ftp server.........don't I have to do something different to tell the computer what port it is??

Cheers.

Consult the FTP server program you are using. For MS IIS, there is a complete tutorial and full info in the MSKB. Simple reg key change.
Change the number in port forwarding in the router as well.

The common FTP port is vulnerable and hit with pings all the time looking for holes. Change it to a non-standard one.
Isolate the files to be available by using copies and isolate that folder with strong permissions. Use a strong (external) user name and password combo to log onto the FTP.

The FTP log, showing that much activity, would be an indicator it is not only exposed but under heavy use. Suspect a trojan of some type.
Seriously consider uninstalling the server, doing complete sweeps, then re-install (or even change to another server program in case something is attached to it) and re-configure it from scratch with the new security levels.

Right okay that does make sense thanks.
And I will take into concideration/do what you have kindly sugested.

One last thing however, If you change the port of the FTP server, when you try and connect with IE, or such other client, you have to tell it the different port??

Many thanks.

I would have to refresh my memory on this. Port is usually expressed as ftp://12.34.56:1234 where you list your IP then the : followed by the port number.
It is covered in the MSKB article on FTP and IIS server

ohh right okay i see.

Thnaks a lot, dbarrow