Strange Disk Utilization

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

One of our domain controllers running Windows 2000 Server has a disk drive
with a 25.6 GB capacity. My Computer shows that we only have 2.86 GB free on
this disk. Strangely enough, if I go through and total the size of all
directories and drives on this disk, I only come up with 6.6 GB of used space.
Is there any way to see if someone has compromised this server and installed
hidden files?
One of the directories on the disk has 358 subdirectories. Do blank
directories take up enough space on a disk to matter?

Thanks.
 
First be sure to run a full malware scan using the latest virus definition
from your publishers website and get a second opinion with something like
Sysclean and the matching pattern file from Trend Micro. Hopefully that
server has not been used for internet browsing but if it has scan for
parasites also. I would also use tools like Process Explorer, Pslist,
TCPview, and Autoruns to see if any unexplained processes or ports are being
used. It would be easiest to compare to a known clean like configured
computer. Some compromises like Root Kits are hard to detect and it may help
if you use Pslist to compare running processes shown locally to what is
found when you enumerate processes from another network computer.

Your computer may not be compromised however. I would run Check Disk on that
volume and try to browse the directories and drill down them to see if
anything interesting is found such as the one you mention with 358
subdirectories. The link below is to available resource kit tools that you
may want to use to further check out disk use. --- Steve

http://www.petri.co.il/download_free_reskit_tools.htm -- diruse and diskuse
for example.
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml -- Process
Explorer and other utilities from SysInternals.
http://www.trendmicro.com/download/dcs.asp -- Sysclean is a stand alone
tool that does not need to be installed.
http://www.trendmicro.com/download/pattern.asp -- pattern file in .zip.
 
Steven L Umbach said:
First be sure to run a full malware scan using the latest virus definition
from your publishers website and get a second opinion with something like
Sysclean and the matching pattern file from Trend Micro. Hopefully that
server has not been used for internet browsing but if it has scan for
parasites also. I would also use tools like Process Explorer, Pslist,
TCPview, and Autoruns to see if any unexplained processes or ports are being
used. It would be easiest to compare to a known clean like configured
computer. Some compromises like Root Kits are hard to detect and it may help
if you use Pslist to compare running processes shown locally to what is
found when you enumerate processes from another network computer.

Your computer may not be compromised however. I would run Check Disk on that
volume and try to browse the directories and drill down them to see if
anything interesting is found such as the one you mention with 358
subdirectories. The link below is to available resource kit tools that you
may want to use to further check out disk use. --- Steve

http://www.petri.co.il/download_free_reskit_tools.htm -- diruse and diskuse
for example.
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml -- Process
Explorer and other utilities from SysInternals.
http://www.trendmicro.com/download/dcs.asp -- Sysclean is a stand alone
tool that does not need to be installed.
http://www.trendmicro.com/download/pattern.asp -- pattern file in .zip.
Click to expand...

I used diruse and dumped the results to a text file, then imported into
Excel. It looks like for whatever reason the properties of the Profiles
directory wasn't enumerating the size of the 350+ subdirectories correctly.
As far as I can tell, this directory is no longer used and all roaming
profiles are stored on a different machine.

Thanks for the help and peace of mind.
 
If the Server has been used for web browsing (not a good idea), consider
purging all temp files and browser cache regularly.

Remember to turn on all the "Show hidden .. " Windows Explorer options to be
able to navigate all available folders.

Hope this helps. Do let us know. Thanks!
 
Back
Top