Sign in with
Sign up | Sign in
Your question

Lost Disk Space

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
December 8, 2004 7:55:09 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I was implementing security auditing on my w2k SBS server and i noticed that
my d:> disk space started to diminish by about 100mb per minute. Thinking it
was the audit policy, I turned it off. It carried on, so I disconnected the
internet and it stopped! So, I did a netstat and found that my server was
connected to 150.188.1.10:3835, 195.70.236.164: on various ports. I blocked
these ports and ip address's. Went into task manager and found the following
strange services: server.exe, syshosts.exe, WinSRV.exe, syshost.exe and
SL14F2.tmp. I tried to stop all of them, but I was not allowed except for
SL14F2.tmp. I ran Trend Anti-virus on all my workstations and server, with
the latest pattern file. It came up with a few virus's which were deleted or
quarantined. I then ran adaware, which found a few bits and pieces and
removed them as well.
As it stands now, my d:> is 55GB in size. 26.92GB is accounted for in files
and i have 2.98GB free space. Where did 14GB go? I have searched with
utilitities to no avail and have even done a attrib search in DOS. Has anyone
got any ideas? Thanks for your time!

More about : lost disk space

Anonymous
a b 8 Security
December 8, 2004 10:58:28 AM

Archived from groups: microsoft.public.win2000.security (More info?)

You should google around for a while and check into info you
might turn up using the names of services/files that you do have.
There are various ways that disk usage gets hidden, so the google
research may give you some shortcuts as to which is involved.
For example, storing into the recycle bin, with names that Explorer
does not recognize as allowed, in sys vol info, etc..
Try looking at the drive with a mapping over the nework and
with the DOS prompt, etc.. At the far end of the spectrum there
are some very sophisticated ways of hiding storage, but in those
cases you likely would not have found as much as you have.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brad E" <Brad E@discussions.microsoft.com> wrote in message
news:9E0A795F-662A-407A-ACEB-3A85BF6EA68A@microsoft.com...
> I was implementing security auditing on my w2k SBS server and i noticed
that
> my d:> disk space started to diminish by about 100mb per minute. Thinking
it
> was the audit policy, I turned it off. It carried on, so I disconnected
the
> internet and it stopped! So, I did a netstat and found that my server was
> connected to 150.188.1.10:3835, 195.70.236.164: on various ports. I
blocked
> these ports and ip address's. Went into task manager and found the
following
> strange services: server.exe, syshosts.exe, WinSRV.exe, syshost.exe and
> SL14F2.tmp. I tried to stop all of them, but I was not allowed except for
> SL14F2.tmp. I ran Trend Anti-virus on all my workstations and server, with
> the latest pattern file. It came up with a few virus's which were deleted
or
> quarantined. I then ran adaware, which found a few bits and pieces and
> removed them as well.
> As it stands now, my d:> is 55GB in size. 26.92GB is accounted for in
files
> and i have 2.98GB free space. Where did 14GB go? I have searched with
> utilitities to no avail and have even done a attrib search in DOS. Has
anyone
> got any ideas? Thanks for your time!
Anonymous
a b 8 Security
December 8, 2004 6:32:14 PM

Archived from groups: microsoft.public.win2000.security (More info?)

You should also learn to cross-post, so you don't get the same information
multiple times.


--
#include <standard.disclaimer>
_
Kevin D Quitt USA 91387-4454 96.37% of all statistics are made up
Per the FCA, this address may not be added to any commercial mail list
Related resources
Anonymous
a b 8 Security
December 8, 2004 10:27:50 PM

Archived from groups: microsoft.public.win2000.security (More info?)

First off you should consider salvaging your data and doing a clean install
after taking steps to prevent such problems form happening again, but that
is your call. My guess is that either your server was not close to being
current with critical updates from Windows Updates, you have unneeded
services installed, no or an incorrectly configured firewall is being used,
your antivirus definitions are not current and not scanning emails, and/or
you are using weak passwords for administrator accounts. I suggest you take
advantage of the free Microsoft Baseline Security Analyzer to check your
server for basic security issues.

http://www.microsoft.com/technet/security/tools/mbsahom... --- MBSA


Having said that. It might help if you go through each folder under the
root/drive folder to see if you can find a folder that uses an usually large
amount of space. Of course you will need to first enable viewing of hidden
folders and files. If you do find the folders you may have difficulty
deleting the folders. Also run Check Disk on your server to see if it can
find/repair problems on the hard drive. There are also RK tools at the link
below such as diruse that may be helpful in tracking down disk use.

http://www.petri.co.il/download_free_reskit_tools.htm
http://support.microsoft.com/?kbid=320081 -- dealing with hard to delete
files

"Brad E" <Brad E@discussions.microsoft.com> wrote in message
news:9E0A795F-662A-407A-ACEB-3A85BF6EA68A@microsoft.com...
>I was implementing security auditing on my w2k SBS server and i noticed
>that
> my d:> disk space started to diminish by about 100mb per minute. Thinking
> it
> was the audit policy, I turned it off. It carried on, so I disconnected
> the
> internet and it stopped! So, I did a netstat and found that my server was
> connected to 150.188.1.10:3835, 195.70.236.164: on various ports. I
> blocked
> these ports and ip address's. Went into task manager and found the
> following
> strange services: server.exe, syshosts.exe, WinSRV.exe, syshost.exe and
> SL14F2.tmp. I tried to stop all of them, but I was not allowed except for
> SL14F2.tmp. I ran Trend Anti-virus on all my workstations and server, with
> the latest pattern file. It came up with a few virus's which were deleted
> or
> quarantined. I then ran adaware, which found a few bits and pieces and
> removed them as well.
> As it stands now, my d:> is 55GB in size. 26.92GB is accounted for in
> files
> and i have 2.98GB free space. Where did 14GB go? I have searched with
> utilitities to no avail and have even done a attrib search in DOS. Has
> anyone
> got any ideas? Thanks for your time!
Anonymous
a b 8 Security
December 9, 2004 1:11:54 AM

Archived from groups: microsoft.public.win2000.security (More info?)

You're missing some patches, and/or have a misconfiguration on your system.
You probably also haven't configured the ISA firewall in SBS very
thoroughly. You've probably been FTP Tagged, where an FTP server is either
installed on your system, or the FTP services that were on your system are
abused, in order to hide illicit files in a hidden folder. There could be a
Windows root kit as well, such as hacker defender, being used to hide the
services and files in question. RKDETECT from www.google.com and Silent
Runners from www.silentrunners.org might be of use. If you haven't secured
your system, it's still vulnerable and open to being re-hacked. After you
figure out how you were hacked and what you didn't do on your system, you
may wish to format and reinstall everything in a secure manner.

http://securityadmin.info/faq.asp#ftpfolder
http://securityadmin.info/faq.asp#hacked
http://securityadmin.info/faq.asp#re-secure
http://securityadmin.info/faq.asp#harden


"Brad E" <Brad E@discussions.microsoft.com> wrote in message
news:9E0A795F-662A-407A-ACEB-3A85BF6EA68A@microsoft.com...
> I was implementing security auditing on my w2k SBS server and i noticed
that
> my d:> disk space started to diminish by about 100mb per minute. Thinking
it
> was the audit policy, I turned it off. It carried on, so I disconnected
the
> internet and it stopped! So, I did a netstat and found that my server was
> connected to 150.188.1.10:3835, 195.70.236.164: on various ports. I
blocked
> these ports and ip address's. Went into task manager and found the
following
> strange services: server.exe, syshosts.exe, WinSRV.exe, syshost.exe and
> SL14F2.tmp. I tried to stop all of them, but I was not allowed except for
> SL14F2.tmp. I ran Trend Anti-virus on all my workstations and server, with
> the latest pattern file. It came up with a few virus's which were deleted
or
> quarantined. I then ran adaware, which found a few bits and pieces and
> removed them as well.
> As it stands now, my d:> is 55GB in size. 26.92GB is accounted for in
files
> and i have 2.98GB free space. Where did 14GB go? I have searched with
> utilitities to no avail and have even done a attrib search in DOS. Has
anyone
> got any ideas? Thanks for your time!
Anonymous
a b 8 Security
December 9, 2004 1:26:58 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Steve, can I add one to your otherwise rather complete
sounding list of possible faults allowing entry which you
provided in the opening paragraph?
"or, indiscriminate web browsing while logged in as an admin"

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:WAItd.224912$R05.36591@attbi_s53...
> First off you should consider salvaging your data and doing a clean
install
> after taking steps to prevent such problems form happening again, but that
> is your call. My guess is that either your server was not close to being
> current with critical updates from Windows Updates, you have unneeded
> services installed, no or an incorrectly configured firewall is being
used,
> your antivirus definitions are not current and not scanning emails, and/or
> you are using weak passwords for administrator accounts. I suggest you
take
> advantage of the free Microsoft Baseline Security Analyzer to check your
> server for basic security issues.
>
> http://www.microsoft.com/technet/security/tools/mbsahom... --- MBSA
>
>
> Having said that. It might help if you go through each folder under the
> root/drive folder to see if you can find a folder that uses an usually
large
> amount of space. Of course you will need to first enable viewing of hidden
> folders and files. If you do find the folders you may have difficulty
> deleting the folders. Also run Check Disk on your server to see if it can
> find/repair problems on the hard drive. There are also RK tools at the
link
> below such as diruse that may be helpful in tracking down disk use.
>
> http://www.petri.co.il/download_free_reskit_tools.htm
> http://support.microsoft.com/?kbid=320081 -- dealing with hard to delete
> files
>
> "Brad E" <Brad E@discussions.microsoft.com> wrote in message
> news:9E0A795F-662A-407A-ACEB-3A85BF6EA68A@microsoft.com...
> >I was implementing security auditing on my w2k SBS server and i noticed
> >that
> > my d:> disk space started to diminish by about 100mb per minute.
Thinking
> > it
> > was the audit policy, I turned it off. It carried on, so I disconnected
> > the
> > internet and it stopped! So, I did a netstat and found that my server
was
> > connected to 150.188.1.10:3835, 195.70.236.164: on various ports. I
> > blocked
> > these ports and ip address's. Went into task manager and found the
> > following
> > strange services: server.exe, syshosts.exe, WinSRV.exe, syshost.exe and
> > SL14F2.tmp. I tried to stop all of them, but I was not allowed except
for
> > SL14F2.tmp. I ran Trend Anti-virus on all my workstations and server,
with
> > the latest pattern file. It came up with a few virus's which were
deleted
> > or
> > quarantined. I then ran adaware, which found a few bits and pieces and
> > removed them as well.
> > As it stands now, my d:> is 55GB in size. 26.92GB is accounted for in
> > files
> > and i have 2.98GB free space. Where did 14GB go? I have searched with
> > utilitities to no avail and have even done a attrib search in DOS. Has
> > anyone
> > got any ideas? Thanks for your time!
>
>
Anonymous
a b 8 Security
December 9, 2004 9:01:42 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Of course you can Roger and a good addition it is! I consider you like a
wise old uncle of mine [even though we are around the same age] : ) Steve


"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:o 0kiS9a3EHA.2876@TK2MSFTNGP12.phx.gbl...
> Steve, can I add one to your otherwise rather complete
> sounding list of possible faults allowing entry which you
> provided in the opening paragraph?
> "or, indiscriminate web browsing while logged in as an admin"
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:WAItd.224912$R05.36591@attbi_s53...
>> First off you should consider salvaging your data and doing a clean
> install
>> after taking steps to prevent such problems form happening again, but
>> that
>> is your call. My guess is that either your server was not close to being
>> current with critical updates from Windows Updates, you have unneeded
>> services installed, no or an incorrectly configured firewall is being
> used,
>> your antivirus definitions are not current and not scanning emails,
>> and/or
>> you are using weak passwords for administrator accounts. I suggest you
> take
>> advantage of the free Microsoft Baseline Security Analyzer to check your
>> server for basic security issues.
>>
>> http://www.microsoft.com/technet/security/tools/mbsahom... --- MBSA
>>
>>
>> Having said that. It might help if you go through each folder under the
>> root/drive folder to see if you can find a folder that uses an usually
> large
>> amount of space. Of course you will need to first enable viewing of
>> hidden
>> folders and files. If you do find the folders you may have difficulty
>> deleting the folders. Also run Check Disk on your server to see if it can
>> find/repair problems on the hard drive. There are also RK tools at the
> link
>> below such as diruse that may be helpful in tracking down disk use.
>>
>> http://www.petri.co.il/download_free_reskit_tools.htm
>> http://support.microsoft.com/?kbid=320081 -- dealing with hard to delete
>> files
>>
>> "Brad E" <Brad E@discussions.microsoft.com> wrote in message
>> news:9E0A795F-662A-407A-ACEB-3A85BF6EA68A@microsoft.com...
>> >I was implementing security auditing on my w2k SBS server and i noticed
>> >that
>> > my d:> disk space started to diminish by about 100mb per minute.
> Thinking
>> > it
>> > was the audit policy, I turned it off. It carried on, so I disconnected
>> > the
>> > internet and it stopped! So, I did a netstat and found that my server
> was
>> > connected to 150.188.1.10:3835, 195.70.236.164: on various ports. I
>> > blocked
>> > these ports and ip address's. Went into task manager and found the
>> > following
>> > strange services: server.exe, syshosts.exe, WinSRV.exe, syshost.exe and
>> > SL14F2.tmp. I tried to stop all of them, but I was not allowed except
> for
>> > SL14F2.tmp. I ran Trend Anti-virus on all my workstations and server,
> with
>> > the latest pattern file. It came up with a few virus's which were
> deleted
>> > or
>> > quarantined. I then ran adaware, which found a few bits and pieces and
>> > removed them as well.
>> > As it stands now, my d:> is 55GB in size. 26.92GB is accounted for in
>> > files
>> > and i have 2.98GB free space. Where did 14GB go? I have searched with
>> > utilitities to no avail and have even done a attrib search in DOS. Has
>> > anyone
>> > got any ideas? Thanks for your time!
>>
>>
>
>
Anonymous
a b 8 Security
December 9, 2004 9:57:52 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Too funny Steve. Thanks. FWIW I imagined you to be
a wiz kid phenonmenon, until we met, when I needed to
adjust the to "kid at heart" <g>

--
Roger
"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:aTRtd.211426$HA.65990@attbi_s01...
> Of course you can Roger and a good addition it is! I consider you like a
> wise old uncle of mine [even though we are around the same age] : ) Steve
>
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:o 0kiS9a3EHA.2876@TK2MSFTNGP12.phx.gbl...
> > Steve, can I add one to your otherwise rather complete
> > sounding list of possible faults allowing entry which you
> > provided in the opening paragraph?
> > "or, indiscriminate web browsing while logged in as an admin"
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> > news:WAItd.224912$R05.36591@attbi_s53...
> >> First off you should consider salvaging your data and doing a clean
> > install
> >> after taking steps to prevent such problems form happening again, but
> >> that
> >> is your call. My guess is that either your server was not close to
being
> >> current with critical updates from Windows Updates, you have unneeded
> >> services installed, no or an incorrectly configured firewall is being
> > used,
> >> your antivirus definitions are not current and not scanning emails,
> >> and/or
> >> you are using weak passwords for administrator accounts. I suggest you
> > take
> >> advantage of the free Microsoft Baseline Security Analyzer to check
your
> >> server for basic security issues.
> >>
> >> http://www.microsoft.com/technet/security/tools/mbsahom... ---
MBSA
> >>
> >>
> >> Having said that. It might help if you go through each folder under the
> >> root/drive folder to see if you can find a folder that uses an usually
> > large
> >> amount of space. Of course you will need to first enable viewing of
> >> hidden
> >> folders and files. If you do find the folders you may have difficulty
> >> deleting the folders. Also run Check Disk on your server to see if it
can
> >> find/repair problems on the hard drive. There are also RK tools at the
> > link
> >> below such as diruse that may be helpful in tracking down disk use.
> >>
> >> http://www.petri.co.il/download_free_reskit_tools.htm
> >> http://support.microsoft.com/?kbid=320081 -- dealing with hard to
delete
> >> files
> >>
> >> "Brad E" <Brad E@discussions.microsoft.com> wrote in message
> >> news:9E0A795F-662A-407A-ACEB-3A85BF6EA68A@microsoft.com...
> >> >I was implementing security auditing on my w2k SBS server and i
noticed
> >> >that
> >> > my d:> disk space started to diminish by about 100mb per minute.
> > Thinking
> >> > it
> >> > was the audit policy, I turned it off. It carried on, so I
disconnected
> >> > the
> >> > internet and it stopped! So, I did a netstat and found that my server
> > was
> >> > connected to 150.188.1.10:3835, 195.70.236.164: on various ports. I
> >> > blocked
> >> > these ports and ip address's. Went into task manager and found the
> >> > following
> >> > strange services: server.exe, syshosts.exe, WinSRV.exe, syshost.exe
and
> >> > SL14F2.tmp. I tried to stop all of them, but I was not allowed except
> > for
> >> > SL14F2.tmp. I ran Trend Anti-virus on all my workstations and server,
> > with
> >> > the latest pattern file. It came up with a few virus's which were
> > deleted
> >> > or
> >> > quarantined. I then ran adaware, which found a few bits and pieces
and
> >> > removed them as well.
> >> > As it stands now, my d:> is 55GB in size. 26.92GB is accounted for in
> >> > files
> >> > and i have 2.98GB free space. Where did 14GB go? I have searched with
> >> > utilitities to no avail and have even done a attrib search in DOS.
Has
> >> > anyone
> >> > got any ideas? Thanks for your time!
> >>
> >>
> >
> >
>
>
!