Need Help urgently on a P2V case!!!!!!! Pleeese help!!!

kumarullal

Renowned Member
Jun 17, 2009
184
0
81
LA, USA
Our physical server running windows server 2008R2 was hit by Ransomware.
While it only had few files encrypted were deleted and while the server was running I converted the disks to VHDX format using disk2vhd application. There were 2 drives C: and E: where the data resided. Later on I converted them to qcow2 using starwind convert tool. It converted successfully.
The physical server had 2 NIC cards and there was a bond created.
So I created a VM with 2 IDE drives 2 Network interface using E100. The machine took like 20 minutes to boot.
Then it took 10 minutes to login. Any mouse action I use, it is very sluggish. It takes 3 to 4 minutes to respond. But the VM seems to run perfectly, but so slow, that it is unusable. When I checked the adapter setting, I saw 2 NIC cards with a bond present just like the p[hysical server.
What could be the issue for it being so slow. I have had sleepless nights.
Dont know what could be the underlying cause of it to be soooo slow.
Is it something to do with Disk bus, I chose IDE for both. Then I chose IDE for C: and SATA for E: with same results. I don't think I can use virtio. (Or can I?) I dont know how, the disk will not be recognized.
Should I convert it to vmdk and then use? Will that be more responsive?
I would really appreciate any help.
Thanks in advance.
 
Virtio SCSI for drives and Virtio as NIC should be way faster but you need to install the drivers and virtio service first or you Guest can't use it.
 
Last edited:
Thanks for your prompt reply, Dunuin.
How can I install virtio for drives and NIC and the service before I start the VM? How will by server recognize the drives? can you please explain pleae.
Thanks
 
Thanks for your prompt reply, Dunuin.
How can I install virtio for drives and NIC and the service before I start the VM? How will by server recognize the drives? can you please explain pleae.
Thanks
I'm not sure if it is possible to install them without starting the VM. Possibly not. NIC and service shouldn't be a problem to install once the VM is booted but I'm not sure if virtio SCSI will work if you want that for your boot drive too. I always install the virtio drivers while installing Windows because otherwise Windows wouldn't be to see a drive to install to. Not sure if it is possible to boot from IDE, install the driver and switch to virtio for the boot drive.
 
Hi Dunuin,
Here I am not install windows, but rather, creating a vm with the same size of the drives that I have already converted to qcow2 from thhe physical server. Once I create the VM, then I replace the drive created while creating the VM with my converted qcow2 drives.
Any ideas?
 
you can convert your ide to virtio.

first, boot on your current ide.

add a small temporary virtio-scsi disk (like 1G).

install virtio-drivers with virtio-win iso, check that the temporary disk is working.

Then remove temporary drive, stop the vm, and change your ide disk to virtio-scsi.

It should boot fine.
 
Thank you Spirit, Dunuin
Spirit, I followed your instructions and could successfully convert the disk to Virtio.
I have kept the Networking to E100. would virtio network have significant improvements?
 
I have a question. When you activate discard on any qcow2 virtio drive with data already on it, what happens?
Does it automatically shrink the size of the disk discarding the unused space?
Do my vzdump backups reduce in size as well?
When the the effect take place? AS soon as you turn on the VM after turning discard on?
Thank again.
 
So you had a server hit by ransomware and you just booted it as VM and put it back on the network? All those slow responses could be the ransomware shipping your data out or finishing the encryption...

If I were you I would build a new Windows VM, airgap it on private network or no network at all. Attach the disks from old server to it and try to save data.

You cant trust anything on that server any more, least of all the executables/OS.
 
Virtio support for 2008 is very limited there are only disk drivers virtio iscsi and virtio block, nothing else.

Ransomware is the last step for a breach, first everything get's backdoored and data exfiltrated, usually waiting weeks to months to be included in backup cycles.

ZeroLogon makes it a breeze to take over the whole network.
 
  • Like
Reactions: kumarullal
Virtio support for 2008 is very limited there are only disk drivers virtio iscsi and virtio block, nothing else.

Ransomware is the last step for a breach, first everything get's backdoored and data exfiltrated, usually waiting weeks to months to be included in backup cycles.

ZeroLogon makes it a breeze to take over the whole network.
Hi HR40,
Can you suggest if there is something that can be used as protection against Ransomware in future? Also if there is a way to decrypt already encrypted file.
Regards
 
So you had a server hit by ransomware and you just booted it as VM and put it back on the network? All those slow responses could be the ransomware shipping your data out or finishing the encryption...

If I were you I would build a new Windows VM, airgap it on private network or no network at all. Attach the disks from old server to it and try to save data.

You cant trust anything on that server any more, least of all the executables/OS.
Thanks @bbgreek17 for your response.
No, I have not added the server to the network.
I shutdown all devices like desktops, NAS etc. Only printers and proxmox servers without any runing VMs.
Then only the infected sever 2008R2.
Attached a USB drive to it. and using xcopy, copying all those folders which had the database. It is still going on because it has about 2 million files with the total size of 250GB. It is a long a tedious process.
Once the backup finishes, I will shutdown the server. Then only start the newly created Windows server 2019 as a VM in proxmox.
Will attach the USB to my laptop and copy to the sever. (Don't know if passing the USB directly though proxmox to the VM might be a better idea. Need some suggestions.
Once that is done, then just test it out if it works.
 
Personally, I wouldn't make most of those steps the way you did. For example, bringing server up and moving data to USB. I would remove the disk physically, build a new server, then use an imaging program to make a copy of the disk (if data is important). But I assume you had your reasons and environmental limitations so your path is fine.
If you have space, just start copy from USB to a directory on Proxmox somewhere, then pass it through as "directory" storage to VM. It really all depends on your storage capabilities. If you don't have enough, then sure pass-through USB to VM and copy that way.
 
Personally, I wouldn't make most of those steps the way you did. For example, bringing server up and moving data to USB. I would remove the disk physically, build a new server, then use an imaging program to make a copy of the disk (if data is important). But I assume you had your reasons and environmental limitations so your path is fine.
If you have space, just start copy from USB to a directory on Proxmox somewhere, then pass it through as "directory" storage to VM. It really all depends on your storage capabilities. If you don't have enough, then sure pass-through USB to VM and copy that way.
I had no choice but to copy the data on a USB, because it is an old proliaent server with multiple disks in a RAID array.
There was no way to remove the disks form the server.
As far as copying to the server 2019 is concerned, instead of copying to proxmox server would it be better to copy it over the network share directly using robocopy? Considering 2 million files and 250GB of data.
So with your suggestion, I can attach the USB 3.0 to proxmox and mount it on proxmox and add it as a storage. However, how can I import the data in to the windows VM? Because in the storage, I will have folder created for dump, images, templates, etc. How can I pass my directories to windows VM?
 
A local copy USB>Disk should be faster than USB>Laptop>Network>Disk

Plugging usb to proxmox and passing it through to VM might be significantly faster. Although I'd be concerned that the USB disk is compromised.
Once you pass through the USB to VM just copy data to local disk. In the end even copying over the network is fine.

I think we strayed far far away from the purpose of this forum - Proxmox.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!