I have some virus files being randomly created on root of a c: disk of one of my servers. How can I find out what created it? Some 3rd party software maybe?
Have a look at the "Owner" tab under the "Advanced" properties of the "Security" properties page of the file's properties sheet. Odds are good, though, that you're going to see "Administrators" as the owner (which won't be too helpful).
The auditing functionality in Windows can help with this kind of thing, but it generates such large volumes of seemingly useless data that it's, practically speaking, not worth it.
Let's assume for a second that what ever is creating these files isn't malicious:
You can look at the owner to see what user created the files
Then use something like Sysinternals Process Explorer to view the processes that are running under that user (Right Click the columns and check "User Name" on the "Process Image" tab
Then look at the handles that each of these processes has (Goto View Menu, Check "Show Low Pane, Change "Lower Pane View" to "Handles"), one of them may have a handle open to the weird files you're seeing
However, if whatever is creating these files is malicious it will take steps to thwart you. (File hiding, process hiding, obfuscation, etc.)
But if it the server has been owned, you know it's been owned, and you don't know how they got in: It's time to start rebuilding it and activating any incident response plan you may have.
You could also utilize FileMon for Windows, to log the Time and Process the file write was committed. Once you do that, track down the process using nestat -ao and look for the PID of the process that wrote the file. From here find the IP Address that is making the connection to your server and continue the investigation or DENY the connection if you are using Windows Built-in Firewall.
PA File Sight could help you there. You can set up a monitor to watch file creates in C:\ The app can log the creation time, the process used (assuming it's a local process) and the account used. It can log that data to a log file, database, and/or alert you in real time.
It's a commercial product, but has a fully-functional 30 day trial that would work for you.
Full disclosure: I work for the company that created PA File Sight.
a bit more details would help; Windows version, name of file(s), text or binary? Can they be renamed/deleted or are they locked in use? Many times this will point to what ligit program added the file. You can run strings.exe and look for clues if its a binary file.
If its an NTFS drive, you can check the security tab and under advanced/owner, to see who created. Process explorer from sysinternals.com will also give clues.
Have a look at the "Owner" tab under the "Advanced" properties of the "Security" properties page of the file's properties sheet. Odds are good, though, that you're going to see "Administrators" as the owner (which won't be too helpful).
The auditing functionality in Windows can help with this kind of thing, but it generates such large volumes of seemingly useless data that it's, practically speaking, not worth it.
Let's assume for a second that what ever is creating these files isn't malicious:
However, if whatever is creating these files is malicious it will take steps to thwart you. (File hiding, process hiding, obfuscation, etc.)
You can use some of the utilities here to check for rootkits: A list of Windows rootkit detection and removal tools
But if it the server has been owned, you know it's been owned, and you don't know how they got in: It's time to start rebuilding it and activating any incident response plan you may have.
You could also utilize FileMon for Windows, to log the Time and Process the file write was committed. Once you do that, track down the process using nestat -ao and look for the PID of the process that wrote the file. From here find the IP Address that is making the connection to your server and continue the investigation or DENY the connection if you are using Windows Built-in Firewall.
Link to FileMon for Windows: http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx
PA File Sight could help you there. You can set up a monitor to watch file creates in C:\ The app can log the creation time, the process used (assuming it's a local process) and the account used. It can log that data to a log file, database, and/or alert you in real time.
It's a commercial product, but has a fully-functional 30 day trial that would work for you.
Full disclosure: I work for the company that created PA File Sight.
a bit more details would help; Windows version, name of file(s), text or binary? Can they be renamed/deleted or are they locked in use? Many times this will point to what ligit program added the file. You can run strings.exe and look for clues if its a binary file.
If its an NTFS drive, you can check the security tab and under advanced/owner, to see who created. Process explorer from sysinternals.com will also give clues.