Missing files/folders

[Grainne]

We have a customer that uses terminal services with small business server
2003. Frequently they come to us with a recurring issue wherebey
folders/files have disappeared, when they search for them, they are found in
a different location. They have asked there users and no-one is admitting to
moving them manually. However, one user said when he was working remotely
his screen flickered and the folder/files he was looking at had disappeared,
we found them the next day in a different location.
Normally, we would put this down to user error, however today we logged onto
their server remotely to move some folder/files for them that had been moved
to a different location last night (again, no-one admitting to moving them),
we copied the folder back to its original location and deleted the folder
that was in the wrong place. We then went into the recycle bin to delete
completely, the screen flickered and the folder/files had disappeared from
the recycle bin, we checked and they had been restored to the original
location as if we had selected "restore" when we hadn't!
We have enabled auditing object access on their main folders/files to help
us in the future, however this would only tell us who had moved them and
doesn't really offer a solution as to why it appears to be so sensitive. Has
anyone else experienced this issue and if so, are you aware of a solution?

Thanks

 

[moncho]

Re: Missing files/folders

Grainne wrote:
> We have a customer that uses terminal services with small business server
> 2003. Frequently they come to us with a recurring issue wherebey
> folders/files have disappeared, when they search for them, they are found in
> a different location. They have asked there users and no-one is admitting to
> moving them manually. However, one user said when he was working remotely
> his screen flickered and the folder/files he was looking at had disappeared,
> we found them the next day in a different location.
> Normally, we would put this down to user error, however today we logged onto
> their server remotely to move some folder/files for them that had been moved
> to a different location last night (again, no-one admitting to moving them),
> we copied the folder back to its original location and deleted the folder
> that was in the wrong place. We then went into the recycle bin to delete
> completely, the screen flickered and the folder/files had disappeared from
> the recycle bin, we checked and they had been restored to the original
> location as if we had selected "restore" when we hadn't!
> We have enabled auditing object access on their main folders/files to help
> us in the future, however this would only tell us who had moved them and
> doesn't really offer a solution as to why it appears to be so sensitive. Has
> anyone else experienced this issue and if so, are you aware of a solution?
>
> Thanks

Just a thought, could it be that the system may be compromised?
The screen flicker makes me cautious.

Are the folders/files located on a shared drive or local to the TS server?

If it is a shared drive, I would lean towards an unknowledgeable
user moving them.

Are the same folders/files being moved or are they random?

When the folders/files are moved, are they moved to the same
place or is it random?

Just trying to find some type of pattern.

moncho

 

[Grainne]

Re: Missing files/folders

Hi Moncho

Thanks for the response

The files/folders are located on a shared drive on a Small Business Server,
Terminal Service is a separate server.

It is unlikely a user is knowingly moving them because the same thing has
happened to myself whilst logged on remotely and I know that I didn't request
a restore from the recycle bin but that is what happened. As this has
happened a number of times, the customer has spoken to their users on a
number of occasions and due to the particular storage structure they have it
would be highly unlikely for a user to do this knowingly internally. It is a
possibility they have a malicious user but they are only a small company and
I would be very surprised.

Random files/folders are being moved and to random locations, somtimes (in
the last instance) a folder and 3 of its sub folders were moved but the
remaining 6 subfolders were still in place! In one of the sub folders that
was moved only 9 files in it were moved and the remaining files of that sub
folder were still in place (as if that sub folder was a copy rather than a
move!)

Its very strange! and sounds so ridiculous as I type it but that is what
happens!
Grainne


"moncho" wrote:

> Just a thought, could it be that the system may be compromised?
> The screen flicker makes me cautious.
>
> Are the folders/files located on a shared drive or local to the TS server?
>
> If it is a shared drive, I would lean towards an unknowledgeable
> user moving them.
>
> Are the same folders/files being moved or are they random?
>
> When the folders/files are moved, are they moved to the same
> place or is it random?
>
> Just trying to find some type of pattern.
>
> moncho
>

 

[moncho]

Re: Missing files/folders

Grainne wrote:
> Hi Moncho
>
> Thanks for the response
>
> The files/folders are located on a shared drive on a Small Business Server,
> Terminal Service is a separate server.
>
> It is unlikely a user is knowingly moving them because the same thing has
> happened to myself whilst logged on remotely and I know that I didn't request
> a restore from the recycle bin but that is what happened. As this has
> happened a number of times, the customer has spoken to their users on a
> number of occasions and due to the particular storage structure they have it
> would be highly unlikely for a user to do this knowingly internally. It is a
> possibility they have a malicious user but they are only a small company and
> I would be very surprised.
>
> Random files/folders are being moved and to random locations, somtimes (in
> the last instance) a folder and 3 of its sub folders were moved but the
> remaining 6 subfolders were still in place! In one of the sub folders that
> was moved only 9 files in it were moved and the remaining files of that sub
> folder were still in place (as if that sub folder was a copy rather than a
> move!)
>
> Its very strange! and sounds so ridiculous as I type it but that is what
> happens!

When you were in remotely, were you in the SBS server or the TS server?

Is this a 24X7 shop and if not, were folder/files "weirdly" moved when
no one was there, either in the office or remotely?

Does this only happen when RDP'd into the TS server?
Since this is a shared drive, does this also happen from local
workstations when viewing in Windows Explorer?

What about checking scheduled tasks or any other automated processes.
Maybe .vbs or .bat files are messing around.

I think you may need to wait for the object access audit and maybe
you will find the culprit.

I have no idea what may cause this issue but I figure if I keep asking
questions, maybe there is something that will trigger a thought
or an idea.

Do you have anti-virus software on the server that has a
"resident shield" active that maybe messing with the application?

hmmm.

moncho


> Grainne
>
>
> "moncho" wrote:
>
>> Just a thought, could it be that the system may be compromised?
>> The screen flicker makes me cautious.
>>
>> Are the folders/files located on a shared drive or local to the TS server?
>>
>> If it is a shared drive, I would lean towards an unknowledgeable
>> user moving them.
>>
>> Are the same folders/files being moved or are they random?
>>
>> When the folders/files are moved, are they moved to the same
>> place or is it random?
>>
>> Just trying to find some type of pattern.
>>
>> moncho
>>

 

[Grainne]

Re: Missing files/folders

Hi Moncho

I was authenticated on TS Server and was working on files on SBS Server.
The customer doesn't store anything on TS Server, its just authenticates them
and passes them through to SBS.

It isn't a 24x7 shop and files always appear to move when someone is logged
in remotely. One of the users mentioned that they were logged in remotely,
the screen flickered and the files they were working on had disappeared (they
were found the next day elsewhere), this user is also quite IT literate
therefore wouldn't usually make mistakes and not own up to them.

It appears to only happen when RDP'd into the server but I can't be sure.
It doesn't usually happen when working locally internally and accessing
shared network files. Usually the customer comes in first thing in the
morning and notices files are not where they should be so it appears it
happens overnight when users would be RDP's into the system.

I'll check the scheduled tasks and antivirus and keep and look at the audit
when it next happens.

Grainne

"moncho" wrote:


> When you were in remotely, were you in the SBS server or the TS server?
>
> Is this a 24X7 shop and if not, were folder/files "weirdly" moved when
> no one was there, either in the office or remotely?
>
> Does this only happen when RDP'd into the TS server?
> Since this is a shared drive, does this also happen from local
> workstations when viewing in Windows Explorer?
>
> What about checking scheduled tasks or any other automated processes.
> Maybe .vbs or .bat files are messing around.
>
> I think you may need to wait for the object access audit and maybe
> you will find the culprit.
>
> I have no idea what may cause this issue but I figure if I keep asking
> questions, maybe there is something that will trigger a thought
> or an idea.
>
> Do you have anti-virus software on the server that has a
> "resident shield" active that maybe messing with the application?
>
> hmmm.
>
> moncho
>
>
> > Grainne
> >
> >
> > "moncho" wrote:
> >
> >> Just a thought, could it be that the system may be compromised?
> >> The screen flicker makes me cautious.
> >>
> >> Are the folders/files located on a shared drive or local to the TS server?
> >>
> >> If it is a shared drive, I would lean towards an unknowledgeable
> >> user moving them.
> >>
> >> Are the same folders/files being moved or are they random?
> >>
> >> When the folders/files are moved, are they moved to the same
> >> place or is it random?
> >>
> >> Just trying to find some type of pattern.
> >>
> >> moncho
> >>
>

 

[Jeff]

Re: Missing files/folders

Do you use any type of replication software to remote sites or internally?
Any DFS ns or replication to speak of? I had this happen to me, but it was
due to corruption on my file server which was a member of the namespace.
When a user logged in it caused the corrupted files to disappear, when this
happened my hotsite not available directly to users replaced the files to a
previous location on my active linked member.

"Grainne" wrote:

> Hi Moncho
>
> I was authenticated on TS Server and was working on files on SBS Server.
> The customer doesn't store anything on TS Server, its just authenticates them
> and passes them through to SBS.
>
> It isn't a 24x7 shop and files always appear to move when someone is logged
> in remotely. One of the users mentioned that they were logged in remotely,
> the screen flickered and the files they were working on had disappeared (they
> were found the next day elsewhere), this user is also quite IT literate
> therefore wouldn't usually make mistakes and not own up to them.
>
> It appears to only happen when RDP'd into the server but I can't be sure.
> It doesn't usually happen when working locally internally and accessing
> shared network files. Usually the customer comes in first thing in the
> morning and notices files are not where they should be so it appears it
> happens overnight when users would be RDP's into the system.
>
> I'll check the scheduled tasks and antivirus and keep and look at the audit
> when it next happens.
>
> Grainne
>
> "moncho" wrote:
>
>
> > When you were in remotely, were you in the SBS server or the TS server?
> >
> > Is this a 24X7 shop and if not, were folder/files "weirdly" moved when
> > no one was there, either in the office or remotely?
> >
> > Does this only happen when RDP'd into the TS server?
> > Since this is a shared drive, does this also happen from local
> > workstations when viewing in Windows Explorer?
> >
> > What about checking scheduled tasks or any other automated processes.
> > Maybe .vbs or .bat files are messing around.
> >
> > I think you may need to wait for the object access audit and maybe
> > you will find the culprit.
> >
> > I have no idea what may cause this issue but I figure if I keep asking
> > questions, maybe there is something that will trigger a thought
> > or an idea.
> >
> > Do you have anti-virus software on the server that has a
> > "resident shield" active that maybe messing with the application?
> >
> > hmmm.
> >
> > moncho
> >
> >
> > > Grainne
> > >
> > >
> > > "moncho" wrote:
> > >
> > >> Just a thought, could it be that the system may be compromised?
> > >> The screen flicker makes me cautious.
> > >>
> > >> Are the folders/files located on a shared drive or local to the TS server?
> > >>
> > >> If it is a shared drive, I would lean towards an unknowledgeable
> > >> user moving them.
> > >>
> > >> Are the same folders/files being moved or are they random?
> > >>
> > >> When the folders/files are moved, are they moved to the same
> > >> place or is it random?
> > >>
> > >> Just trying to find some type of pattern.
> > >>
> > >> moncho
> > >>
> >

 

[Grainne]

Re: Missing files/folders

Hi Jeff

Thanks for the reply

There is no replication software to remote sites or internally in use and
DFS is not used.

In response to Moncho's reply, there are no scheduled tasks or automated
processes.

AV "resident shield" is active for scanning "infectable files! only. I'm
reluctant to take this off as surely it is required, however if someone
thinks that is should be unticked, I can try it.

A backup runs daily at night which could be running whilst users are working
on files - could this cause the problem?

I can't think of anything else. Its a relatively simple setup, Small
Business Server 2003 with Terminal Service 2003 at the main site - all remote
sites connect via RDP.

"Jeff" wrote:

> Do you use any type of replication software to remote sites or internally?
> Any DFS ns or replication to speak of? I had this happen to me, but it was
> due to corruption on my file server which was a member of the namespace.
> When a user logged in it caused the corrupted files to disappear, when this
> happened my hotsite not available directly to users replaced the files to a
> previous location on my active linked member.
>
> "Grainne" wrote:
>
> > Hi Moncho
> >
> > I was authenticated on TS Server and was working on files on SBS Server.
> > The customer doesn't store anything on TS Server, its just authenticates them
> > and passes them through to SBS.
> >
> > It isn't a 24x7 shop and files always appear to move when someone is logged
> > in remotely. One of the users mentioned that they were logged in remotely,
> > the screen flickered and the files they were working on had disappeared (they
> > were found the next day elsewhere), this user is also quite IT literate
> > therefore wouldn't usually make mistakes and not own up to them.
> >
> > It appears to only happen when RDP'd into the server but I can't be sure.
> > It doesn't usually happen when working locally internally and accessing
> > shared network files. Usually the customer comes in first thing in the
> > morning and notices files are not where they should be so it appears it
> > happens overnight when users would be RDP's into the system.
> >
> > I'll check the scheduled tasks and antivirus and keep and look at the audit
> > when it next happens.
> >
> > Grainne
> >
> > "moncho" wrote:
> >
> >
> > > When you were in remotely, were you in the SBS server or the TS server?
> > >
> > > Is this a 24X7 shop and if not, were folder/files "weirdly" moved when
> > > no one was there, either in the office or remotely?
> > >
> > > Does this only happen when RDP'd into the TS server?
> > > Since this is a shared drive, does this also happen from local
> > > workstations when viewing in Windows Explorer?
> > >
> > > What about checking scheduled tasks or any other automated processes.
> > > Maybe .vbs or .bat files are messing around.
> > >
> > > I think you may need to wait for the object access audit and maybe
> > > you will find the culprit.
> > >
> > > I have no idea what may cause this issue but I figure if I keep asking
> > > questions, maybe there is something that will trigger a thought
> > > or an idea.
> > >
> > > Do you have anti-virus software on the server that has a
> > > "resident shield" active that maybe messing with the application?
> > >
> > > hmmm.
> > >
> > > moncho
> > >
> > >
> > > > Grainne
> > > >
> > > >
> > > > "moncho" wrote:
> > > >
> > > >> Just a thought, could it be that the system may be compromised?
> > > >> The screen flicker makes me cautious.
> > > >>
> > > >> Are the folders/files located on a shared drive or local to the TS server?
> > > >>
> > > >> If it is a shared drive, I would lean towards an unknowledgeable
> > > >> user moving them.
> > > >>
> > > >> Are the same folders/files being moved or are they random?
> > > >>
> > > >> When the folders/files are moved, are they moved to the same
> > > >> place or is it random?
> > > >>
> > > >> Just trying to find some type of pattern.
> > > >>
> > > >> moncho
> > > >>
> > >