This was how it all started. We were pretty sure something killed our rabbit server XP. But what? First thing, I checked the log. Emm. It was a fantastic 512KB for each of the 3 logs and it was flooded with audit info. No luck. This could has been a really clever trick to wipe the logs. Change the log size and turn on excessive audits. If someone did it, he is pretty creative.
Althought the users control panel turns up empty, I was able to check it using the Administrator tools, manage computer section. No additional users of funny priviledges. So that's safe I thought. If anything was compromized, its one of these legal accounts.
The next thing I checked was the network connection. I found that it was down. At least it seems to be. Nothing seems to be able to connect out or coming in. This is weird. If I am an attacker, I wouldn't bring down the network because I would want to come back again. Well, it could be just a bad hacker.
So, maybe lets find out what he used to kill the server. I run a few malware scanner on the machine. Well, after we did a clone with encase anyway. In case we need to perform forensic on it later. Well well, a few BHOs and trojans turns up along with a couple of adware registry. Nothing serious. Well except for the trojan which keylogs some potential sites, but I doubt anyone would be using this machine to do internet banking anyway. So, I gave it a clean up and rebooted. It's still dead. Either the malware did some permenant damages or we simply did not manage to find the cause. In any case, the HDD was quarrantined and the data was restored from a mirror.
Since I had a cloned drive to test with, I tried to run sfc /scannow and restore the critical system files. I thought some of the files were replaced, but even with this, the server rabbit was still dead after a reboot. Its either that the files that was damaged were not critical files or the sfc was not able to fix the files but kept quiet about it. In any case, the HDD was taken offline and kept securely. All network were unplugged from the server until they can get the server up and running again in the coming week.
Little did I know that this was only the beginning...