«
»

NTLDR Missing – Fix


Last night I had a Windows 2003 web server become compromised. It appears the attacker deleted the boot.ini / NTLDR files to prevent the system from starting up. The problem was a little tricky to troubleshoot, but with the right tools I was able to resolve the issue relatively quickly. Incase anyone runs into the same problems below are a good set of steps to troubleshoot.

  • Test the hard drive. Often the source of a NTLDR error is simply that the files have been corrupted by a dead / dying hard drive. If this is the cause *pound head on desk*
  • To test the drive I recommend using Hiren’s BootCD. This is like the “killer appâ€? for any PC tech. It has a tool which will allow you to test any type of hard disk, and will also allow you to browse the NTFS partitions.
  • This would be a good time to copy any mission critical data off the server. Incase we’re unsuccessfully completely restoring the system you should be able to get your files off.
  • In this situation have a backup server is ideal. On backup server running Windows 2003, search for ntldr / ntdetect.com. Copy these to a floppy disk and move them to the root partition of your server using the Hiren’s BootCD
  • Now create a file called boot.ini with the following information in it, and move it to the root partition of the down server.


    • [boot loader]
    timeout=30
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

    [operating systems]
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows Server 2003, Standard" /fastdetect

  • You should be able to reboot and the system will come back online as if nothing happened. At least that is how things went more me. Feel free to add comments about your experiences.

    • I believe I dodged a bullet here. The web server was still had all the site files, and all the data. The individual beyond this could have easy do more damage then they did.

    Share and Enjoy:
    • Digg
    • Sphinn
    • del.icio.us
    • Facebook
    • Mixx
    • Google Bookmarks

    This entry was posted on January 12, 2006, 4:03 pm and is filed under Operating Systems, Technology. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.

    1. No comments yet.
    (will not be published)