Member Avatar for wolfpac

I need some help guys. Here is the story
I maintain my company's Intranet and this one time I noticed something really strange. About 11ish in the morning I found out that my web pages have gone bad, the contents of the pages were of the last year (2007), about a month or 2 BEFORE I became the web guy.

I thought maybe the IIS was pointing to some old directories, because I was just working on the pages and they were fine. Turned out that IIS was just fine, the files on the web server however were replaced by files with contents from the past. I thought I may have accidentally replaced the file myself (love the Ctrl+C and V).

I looked at the date of the files 01/15/2008 10:52am, hmm interesting it was only a moment ago, feeling compelled to correct the issue I copied the *weird* files to a folder and replace them with the correct files from my machine. No big deal... BUT I am still puzzled as to how it happened in the first place. I don't keep files that old with me, not to mention I was not working as the web guy at the time when those contents were generated.

My biggest question is: how do I find out who replaced the files. This is a company Intranet setting and only a handful of people have access to the web server. For people who have access they simply use Windows Explorer to navigate to the folder without logging in. Is there a log to find out who change what? The files property didn't tell me anything. To keep it simple if I replaced a file on the server, is it logged at all?

I don't even bother with the Network Administrator, they are practically clueless.

  • 3 Contributors
  • 6 Replies
  • 158 Views
  • 2 Days Discussion Span
  • Latest Post Latest Post by DimaYasny

Recommended Answers

All 6 Replies

Member Avatar for hughv

If the log files have been properly configured, you should be able to find the info:
http://thesource.ofallevil.com/technet/prodtechnol/WindowsServer2003/Library/IIS/b344f84e-bc77-4019-859c-9d483bc85c77.mspx?mfr=true
See also:
http://searchexchange.techtarget.com/tip/0,289483,sid43_gci1126458,00.html
I've made a zillion mistakes, and this is one of them, so I'd assume this was my own error.
If not, it seems to me you need to make some security changes.

Member Avatar for wolfpac

I just checked the IIS logs but it does not tell me anything related to the files modification.

This question is equivalent to if I replace a file on my co-worker's PC, can he find out who did it?

I have also looked at the server security log but that log tells me *anyone* who was trying to access the web site. I did do a test where I uploaded a file to the server, the security log shows my PC name and it logs me in 6 consecutive entries. I tried to find the if there are similar 6 entries near the time of the event and I cannot find similar entries

Member Avatar for hughv

A genuine mystery-I think I'd feel compelled to figure it out, but it sounds as though no harm was done.
You might try posting in the web forum, where you'll find people who know a lot more than I do.

Member Avatar for wolfpac

Just found out what really happened, if anyone interested:

Our former Web person, currently an Application Analyst, went in the Microsoft SourceSafe and restore the old files, when the SourceSafe asked her if she wanted to Replace current files, an option which is not selected by default, she hit that option. She is also one of the very few people who has access to the SourceSafe folder, being an Web guy, I don't even have the rights.

Intentional? I am about 99% sure she did it on purpose. I wonder if I should report her, I can't go to my manager because in on of my analyzed possible scenarios I put my boss behind all this.

Member Avatar for hughv

Hard to say. I do problem solving. not politics.
If you're officially in charge, you should at least document the events.
I'd report it and make sure her credentials were revoked, which should be done as a routine precaution anyway.
I read an article recently that said disgruntled employees are responsible for some very high percentage of such events.
Good luck.

Member Avatar for DimaYasny

how about setting an audit on the wwwroot directory?

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.