Lost Disk Space

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I was implementing security auditing on my w2k SBS server and i noticed that
my d:> disk space started to diminish by about 100mb per minute. Thinking it
was the audit policy, I turned it off. It carried on, so I disconnected the
internet and it stopped! So, I did a netstat and found that my server was
connected to 150.188.1.10:3835, 195.70.236.164: on various ports. I blocked
these ports and ip address's. Went into task manager and found the following
strange services: server.exe, syshosts.exe, WinSRV.exe, syshost.exe and
SL14F2.tmp. I tried to stop all of them, but I was not allowed except for
SL14F2.tmp. I ran Trend Anti-virus on all my workstations and server, with
the latest pattern file. It came up with a few virus's which were deleted or
quarantined. I then ran adaware, which found a few bits and pieces and
removed them as well.
As it stands now, my d:> is 55GB in size. 26.92GB is accounted for in files
and i have 2.98GB free space. Where did 14GB go? I have searched with
utilitities to no avail and have even done a attrib search in DOS. Has anyone
got any ideas? Thanks for your time!
 
You should google around for a while and check into info you
might turn up using the names of services/files that you do have.
There are various ways that disk usage gets hidden, so the google
research may give you some shortcuts as to which is involved.
For example, storing into the recycle bin, with names that Explorer
does not recognize as allowed, in sys vol info, etc..
Try looking at the drive with a mapping over the nework and
with the DOS prompt, etc.. At the far end of the spectrum there
are some very sophisticated ways of hiding storage, but in those
cases you likely would not have found as much as you have.
 
First off you should consider salvaging your data and doing a clean install
after taking steps to prevent such problems form happening again, but that
is your call. My guess is that either your server was not close to being
current with critical updates from Windows Updates, you have unneeded
services installed, no or an incorrectly configured firewall is being used,
your antivirus definitions are not current and not scanning emails, and/or
you are using weak passwords for administrator accounts. I suggest you take
advantage of the free Microsoft Baseline Security Analyzer to check your
server for basic security issues.

http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA


Having said that. It might help if you go through each folder under the
root/drive folder to see if you can find a folder that uses an usually large
amount of space. Of course you will need to first enable viewing of hidden
folders and files. If you do find the folders you may have difficulty
deleting the folders. Also run Check Disk on your server to see if it can
find/repair problems on the hard drive. There are also RK tools at the link
below such as diruse that may be helpful in tracking down disk use.

http://www.petri.co.il/download_free_reskit_tools.htm
http://support.microsoft.com/?kbid=320081 -- dealing with hard to delete
files
 
You should also learn to cross-post, so you don't get the same information
multiple times.
 
You're missing some patches, and/or have a misconfiguration on your system.
You probably also haven't configured the ISA firewall in SBS very
thoroughly. You've probably been FTP Tagged, where an FTP server is either
installed on your system, or the FTP services that were on your system are
abused, in order to hide illicit files in a hidden folder. There could be a
Windows root kit as well, such as hacker defender, being used to hide the
services and files in question. RKDETECT from www.google.com and Silent
Runners from www.silentrunners.org might be of use. If you haven't secured
your system, it's still vulnerable and open to being re-hacked. After you
figure out how you were hacked and what you didn't do on your system, you
may wish to format and reinstall everything in a secure manner.

http://securityadmin.info/faq.asp#ftpfolder
http://securityadmin.info/faq.asp#hacked
http://securityadmin.info/faq.asp#re-secure
http://securityadmin.info/faq.asp#harden
 
Steve, can I add one to your otherwise rather complete
sounding list of possible faults allowing entry which you
provided in the opening paragraph?
"or, indiscriminate web browsing while logged in as an admin"
 
Of course you can Roger and a good addition it is! I consider you like a
wise old uncle of mine [even though we are around the same age] : ) Steve
 
Too funny Steve. Thanks. FWIW I imagined you to be
a wiz kid phenonmenon, until we met, when I needed to
adjust the to "kid at heart" <g>

--
Roger
Steven L Umbach said:
Of course you can Roger and a good addition it is! I consider you like a
wise old uncle of mine [even though we are around the same age] : ) Steve


Roger Abell said:
Steve, can I add one to your otherwise rather complete
sounding list of possible faults allowing entry which you
provided in the opening paragraph?
"or, indiscriminate web browsing while logged in as an admin"
Click to expand...
Click to expand...
 
Back
Top