Last night I had a Windows 2003 web server become compromised. It appears the attacker deleted the boot.ini / NTLDR files to prevent the system from starting up. The problem was a little tricky to troubleshoot, but with the right tools I was able to resolve the issue relatively quickly. Incase anyone runs into the same problems below are a good set of steps to troubleshoot.
Test the hard drive. Often the source of a NTLDR error is simply that the files have been corrupted by a dead / dying hard drive. If this is the cause *pound head on desk*
To test the drive I recommend using Hiren’s BootCD. This is like the “killer app” for any PC tech. It has a tool which will allow you to test any type of hard disk, and will also allow you to browse the NTFS partitions.
This would be a good time to copy any mission critical data off the server. Incase we’re unsuccessfully completely restoring the system you should be able to get your files off.
In this situation have a backup server is ideal. On backup server running Windows 2003, search for ntldr / ntdetect.com. Copy these to a floppy disk and move them to the root partition of your server using the Hiren’s BootCD
Now create a file called boot.ini with the following information in it, and move it to the root partition of the down server.
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=”Microsoft Windows Server 2003, Standard” /fastdetect
You should be able to reboot and the system will come back online as if nothing happened. At least that is how things went more me. Feel free to add comments about your experiences.
I believe I dodged a bullet here. The web server was still had all the site files, and all the data. The individual beyond this could have easy do more damage then they did.
Comment by Administrator
Just as a follow up this isn’t a prefect fix for everyone, in fact it probably won’t work for you unless the situation is identical to mine. Be warned most of the time this error is a sign of serious hardware failure. There is nothing more important then good backups. Hardware will fail, but if you have a good disaster recovery plan you can overcome just about any catastrophe.
Comment by dell tech
make sure there is no floppy in the floppy disk drive!!!
Comment by joshua
=) for me.. i had a older comp switch the mode on the hard drive to auto =)
Comment by Nice Try
If NTLDR is missing the fix in not with the OS but with the BIOS. If you replace the three files: boot.ini, NTDETECT.COM, and ntdlr and the boot.ini is correct then the fix is to reset the BIOS to safty defaults. A hard shut down can cause this problem. This fix is not published since I am the only one who figured it out. geez, I’m smart.
Comment by Klingonbld
Nice Try is me Klingonbld
Comment by cobra
You are smart. Thank you, it worked.
Comment by Rick Reno
Just like in the Movies