Lost Disk Space

Archived from groups: microsoft.public.win2000.security (More info?)

I was implementing security auditing on my w2k SBS server and i noticed that
my d:> disk space started to diminish by about 100mb per minute. Thinking it
was the audit policy, I turned it off. It carried on, so I disconnected the
internet and it stopped! So, I did a netstat and found that my server was
connected to 150.188.1.10:3835, 195.70.236.164: on various ports. I blocked
these ports and ip address's. Went into task manager and found the following
strange services: server.exe, syshosts.exe, WinSRV.exe, syshost.exe and
SL14F2.tmp. I tried to stop all of them, but I was not allowed except for
SL14F2.tmp. I ran Trend Anti-virus on all my workstations and server, with
the latest pattern file. It came up with a few virus's which were deleted or
quarantined. I then ran adaware, which found a few bits and pieces and
removed them as well.
As it stands now, my d:> is 55GB in size. 26.92GB is accounted for in files
and i have 2.98GB free space. Where did 14GB go? I have searched with
utilitities to no avail and have even done a attrib search in DOS. Has anyone
got any ideas? Thanks for your time!
7 answers Last reply
More about lost disk space
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    You should google around for a while and check into info you
    might turn up using the names of services/files that you do have.
    There are various ways that disk usage gets hidden, so the google
    research may give you some shortcuts as to which is involved.
    For example, storing into the recycle bin, with names that Explorer
    does not recognize as allowed, in sys vol info, etc..
    Try looking at the drive with a mapping over the nework and
    with the DOS prompt, etc.. At the far end of the spectrum there
    are some very sophisticated ways of hiding storage, but in those
    cases you likely would not have found as much as you have.

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "Brad E" <Brad E@discussions.microsoft.com> wrote in message
    news:9E0A795F-662A-407A-ACEB-3A85BF6EA68A@microsoft.com...
    > I was implementing security auditing on my w2k SBS server and i noticed
    that
    > my d:> disk space started to diminish by about 100mb per minute. Thinking
    it
    > was the audit policy, I turned it off. It carried on, so I disconnected
    the
    > internet and it stopped! So, I did a netstat and found that my server was
    > connected to 150.188.1.10:3835, 195.70.236.164: on various ports. I
    blocked
    > these ports and ip address's. Went into task manager and found the
    following
    > strange services: server.exe, syshosts.exe, WinSRV.exe, syshost.exe and
    > SL14F2.tmp. I tried to stop all of them, but I was not allowed except for
    > SL14F2.tmp. I ran Trend Anti-virus on all my workstations and server, with
    > the latest pattern file. It came up with a few virus's which were deleted
    or
    > quarantined. I then ran adaware, which found a few bits and pieces and
    > removed them as well.
    > As it stands now, my d:> is 55GB in size. 26.92GB is accounted for in
    files
    > and i have 2.98GB free space. Where did 14GB go? I have searched with
    > utilitities to no avail and have even done a attrib search in DOS. Has
    anyone
    > got any ideas? Thanks for your time!
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    You should also learn to cross-post, so you don't get the same information
    multiple times.


    --
    #include <standard.disclaimer>
    _
    Kevin D Quitt USA 91387-4454 96.37% of all statistics are made up
    Per the FCA, this address may not be added to any commercial mail list
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    First off you should consider salvaging your data and doing a clean install
    after taking steps to prevent such problems form happening again, but that
    is your call. My guess is that either your server was not close to being
    current with critical updates from Windows Updates, you have unneeded
    services installed, no or an incorrectly configured firewall is being used,
    your antivirus definitions are not current and not scanning emails, and/or
    you are using weak passwords for administrator accounts. I suggest you take
    advantage of the free Microsoft Baseline Security Analyzer to check your
    server for basic security issues.

    http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA


    Having said that. It might help if you go through each folder under the
    root/drive folder to see if you can find a folder that uses an usually large
    amount of space. Of course you will need to first enable viewing of hidden
    folders and files. If you do find the folders you may have difficulty
    deleting the folders. Also run Check Disk on your server to see if it can
    find/repair problems on the hard drive. There are also RK tools at the link
    below such as diruse that may be helpful in tracking down disk use.

    http://www.petri.co.il/download_free_reskit_tools.htm
    http://support.microsoft.com/?kbid=320081 -- dealing with hard to delete
    files

    "Brad E" <Brad E@discussions.microsoft.com> wrote in message
    news:9E0A795F-662A-407A-ACEB-3A85BF6EA68A@microsoft.com...
    >I was implementing security auditing on my w2k SBS server and i noticed
    >that
    > my d:> disk space started to diminish by about 100mb per minute. Thinking
    > it
    > was the audit policy, I turned it off. It carried on, so I disconnected
    > the
    > internet and it stopped! So, I did a netstat and found that my server was
    > connected to 150.188.1.10:3835, 195.70.236.164: on various ports. I
    > blocked
    > these ports and ip address's. Went into task manager and found the
    > following
    > strange services: server.exe, syshosts.exe, WinSRV.exe, syshost.exe and
    > SL14F2.tmp. I tried to stop all of them, but I was not allowed except for
    > SL14F2.tmp. I ran Trend Anti-virus on all my workstations and server, with
    > the latest pattern file. It came up with a few virus's which were deleted
    > or
    > quarantined. I then ran adaware, which found a few bits and pieces and
    > removed them as well.
    > As it stands now, my d:> is 55GB in size. 26.92GB is accounted for in
    > files
    > and i have 2.98GB free space. Where did 14GB go? I have searched with
    > utilitities to no avail and have even done a attrib search in DOS. Has
    > anyone
    > got any ideas? Thanks for your time!
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    You're missing some patches, and/or have a misconfiguration on your system.
    You probably also haven't configured the ISA firewall in SBS very
    thoroughly. You've probably been FTP Tagged, where an FTP server is either
    installed on your system, or the FTP services that were on your system are
    abused, in order to hide illicit files in a hidden folder. There could be a
    Windows root kit as well, such as hacker defender, being used to hide the
    services and files in question. RKDETECT from www.google.com and Silent
    Runners from www.silentrunners.org might be of use. If you haven't secured
    your system, it's still vulnerable and open to being re-hacked. After you
    figure out how you were hacked and what you didn't do on your system, you
    may wish to format and reinstall everything in a secure manner.

    http://securityadmin.info/faq.asp#ftpfolder
    http://securityadmin.info/faq.asp#hacked
    http://securityadmin.info/faq.asp#re-secure
    http://securityadmin.info/faq.asp#harden


    "Brad E" <Brad E@discussions.microsoft.com> wrote in message
    news:9E0A795F-662A-407A-ACEB-3A85BF6EA68A@microsoft.com...
    > I was implementing security auditing on my w2k SBS server and i noticed
    that
    > my d:> disk space started to diminish by about 100mb per minute. Thinking
    it
    > was the audit policy, I turned it off. It carried on, so I disconnected
    the
    > internet and it stopped! So, I did a netstat and found that my server was
    > connected to 150.188.1.10:3835, 195.70.236.164: on various ports. I
    blocked
    > these ports and ip address's. Went into task manager and found the
    following
    > strange services: server.exe, syshosts.exe, WinSRV.exe, syshost.exe and
    > SL14F2.tmp. I tried to stop all of them, but I was not allowed except for
    > SL14F2.tmp. I ran Trend Anti-virus on all my workstations and server, with
    > the latest pattern file. It came up with a few virus's which were deleted
    or
    > quarantined. I then ran adaware, which found a few bits and pieces and
    > removed them as well.
    > As it stands now, my d:> is 55GB in size. 26.92GB is accounted for in
    files
    > and i have 2.98GB free space. Where did 14GB go? I have searched with
    > utilitities to no avail and have even done a attrib search in DOS. Has
    anyone
    > got any ideas? Thanks for your time!
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    Steve, can I add one to your otherwise rather complete
    sounding list of possible faults allowing entry which you
    provided in the opening paragraph?
    "or, indiscriminate web browsing while logged in as an admin"

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    news:WAItd.224912$R05.36591@attbi_s53...
    > First off you should consider salvaging your data and doing a clean
    install
    > after taking steps to prevent such problems form happening again, but that
    > is your call. My guess is that either your server was not close to being
    > current with critical updates from Windows Updates, you have unneeded
    > services installed, no or an incorrectly configured firewall is being
    used,
    > your antivirus definitions are not current and not scanning emails, and/or
    > you are using weak passwords for administrator accounts. I suggest you
    take
    > advantage of the free Microsoft Baseline Security Analyzer to check your
    > server for basic security issues.
    >
    > http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA
    >
    >
    > Having said that. It might help if you go through each folder under the
    > root/drive folder to see if you can find a folder that uses an usually
    large
    > amount of space. Of course you will need to first enable viewing of hidden
    > folders and files. If you do find the folders you may have difficulty
    > deleting the folders. Also run Check Disk on your server to see if it can
    > find/repair problems on the hard drive. There are also RK tools at the
    link
    > below such as diruse that may be helpful in tracking down disk use.
    >
    > http://www.petri.co.il/download_free_reskit_tools.htm
    > http://support.microsoft.com/?kbid=320081 -- dealing with hard to delete
    > files
    >
    > "Brad E" <Brad E@discussions.microsoft.com> wrote in message
    > news:9E0A795F-662A-407A-ACEB-3A85BF6EA68A@microsoft.com...
    > >I was implementing security auditing on my w2k SBS server and i noticed
    > >that
    > > my d:> disk space started to diminish by about 100mb per minute.
    Thinking
    > > it
    > > was the audit policy, I turned it off. It carried on, so I disconnected
    > > the
    > > internet and it stopped! So, I did a netstat and found that my server
    was
    > > connected to 150.188.1.10:3835, 195.70.236.164: on various ports. I
    > > blocked
    > > these ports and ip address's. Went into task manager and found the
    > > following
    > > strange services: server.exe, syshosts.exe, WinSRV.exe, syshost.exe and
    > > SL14F2.tmp. I tried to stop all of them, but I was not allowed except
    for
    > > SL14F2.tmp. I ran Trend Anti-virus on all my workstations and server,
    with
    > > the latest pattern file. It came up with a few virus's which were
    deleted
    > > or
    > > quarantined. I then ran adaware, which found a few bits and pieces and
    > > removed them as well.
    > > As it stands now, my d:> is 55GB in size. 26.92GB is accounted for in
    > > files
    > > and i have 2.98GB free space. Where did 14GB go? I have searched with
    > > utilitities to no avail and have even done a attrib search in DOS. Has
    > > anyone
    > > got any ideas? Thanks for your time!
    >
    >
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    Of course you can Roger and a good addition it is! I consider you like a
    wise old uncle of mine [even though we are around the same age] : ) Steve


    "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    news:O0kiS9a3EHA.2876@TK2MSFTNGP12.phx.gbl...
    > Steve, can I add one to your otherwise rather complete
    > sounding list of possible faults allowing entry which you
    > provided in the opening paragraph?
    > "or, indiscriminate web browsing while logged in as an admin"
    >
    > --
    > Roger Abell
    > Microsoft MVP (Windows Security)
    > MCSE (W2k3,W2k,Nt4) MCDBA
    > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    > news:WAItd.224912$R05.36591@attbi_s53...
    >> First off you should consider salvaging your data and doing a clean
    > install
    >> after taking steps to prevent such problems form happening again, but
    >> that
    >> is your call. My guess is that either your server was not close to being
    >> current with critical updates from Windows Updates, you have unneeded
    >> services installed, no or an incorrectly configured firewall is being
    > used,
    >> your antivirus definitions are not current and not scanning emails,
    >> and/or
    >> you are using weak passwords for administrator accounts. I suggest you
    > take
    >> advantage of the free Microsoft Baseline Security Analyzer to check your
    >> server for basic security issues.
    >>
    >> http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA
    >>
    >>
    >> Having said that. It might help if you go through each folder under the
    >> root/drive folder to see if you can find a folder that uses an usually
    > large
    >> amount of space. Of course you will need to first enable viewing of
    >> hidden
    >> folders and files. If you do find the folders you may have difficulty
    >> deleting the folders. Also run Check Disk on your server to see if it can
    >> find/repair problems on the hard drive. There are also RK tools at the
    > link
    >> below such as diruse that may be helpful in tracking down disk use.
    >>
    >> http://www.petri.co.il/download_free_reskit_tools.htm
    >> http://support.microsoft.com/?kbid=320081 -- dealing with hard to delete
    >> files
    >>
    >> "Brad E" <Brad E@discussions.microsoft.com> wrote in message
    >> news:9E0A795F-662A-407A-ACEB-3A85BF6EA68A@microsoft.com...
    >> >I was implementing security auditing on my w2k SBS server and i noticed
    >> >that
    >> > my d:> disk space started to diminish by about 100mb per minute.
    > Thinking
    >> > it
    >> > was the audit policy, I turned it off. It carried on, so I disconnected
    >> > the
    >> > internet and it stopped! So, I did a netstat and found that my server
    > was
    >> > connected to 150.188.1.10:3835, 195.70.236.164: on various ports. I
    >> > blocked
    >> > these ports and ip address's. Went into task manager and found the
    >> > following
    >> > strange services: server.exe, syshosts.exe, WinSRV.exe, syshost.exe and
    >> > SL14F2.tmp. I tried to stop all of them, but I was not allowed except
    > for
    >> > SL14F2.tmp. I ran Trend Anti-virus on all my workstations and server,
    > with
    >> > the latest pattern file. It came up with a few virus's which were
    > deleted
    >> > or
    >> > quarantined. I then ran adaware, which found a few bits and pieces and
    >> > removed them as well.
    >> > As it stands now, my d:> is 55GB in size. 26.92GB is accounted for in
    >> > files
    >> > and i have 2.98GB free space. Where did 14GB go? I have searched with
    >> > utilitities to no avail and have even done a attrib search in DOS. Has
    >> > anyone
    >> > got any ideas? Thanks for your time!
    >>
    >>
    >
    >
  7. Archived from groups: microsoft.public.win2000.security (More info?)

    Too funny Steve. Thanks. FWIW I imagined you to be
    a wiz kid phenonmenon, until we met, when I needed to
    adjust the to "kid at heart" <g>

    --
    Roger
    "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    news:aTRtd.211426$HA.65990@attbi_s01...
    > Of course you can Roger and a good addition it is! I consider you like a
    > wise old uncle of mine [even though we are around the same age] : ) Steve
    >
    >
    > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    > news:O0kiS9a3EHA.2876@TK2MSFTNGP12.phx.gbl...
    > > Steve, can I add one to your otherwise rather complete
    > > sounding list of possible faults allowing entry which you
    > > provided in the opening paragraph?
    > > "or, indiscriminate web browsing while logged in as an admin"
    > >
    > > --
    > > Roger Abell
    > > Microsoft MVP (Windows Security)
    > > MCSE (W2k3,W2k,Nt4) MCDBA
    > > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    > > news:WAItd.224912$R05.36591@attbi_s53...
    > >> First off you should consider salvaging your data and doing a clean
    > > install
    > >> after taking steps to prevent such problems form happening again, but
    > >> that
    > >> is your call. My guess is that either your server was not close to
    being
    > >> current with critical updates from Windows Updates, you have unneeded
    > >> services installed, no or an incorrectly configured firewall is being
    > > used,
    > >> your antivirus definitions are not current and not scanning emails,
    > >> and/or
    > >> you are using weak passwords for administrator accounts. I suggest you
    > > take
    > >> advantage of the free Microsoft Baseline Security Analyzer to check
    your
    > >> server for basic security issues.
    > >>
    > >> http://www.microsoft.com/technet/security/tools/mbsahome.mspx ---
    MBSA
    > >>
    > >>
    > >> Having said that. It might help if you go through each folder under the
    > >> root/drive folder to see if you can find a folder that uses an usually
    > > large
    > >> amount of space. Of course you will need to first enable viewing of
    > >> hidden
    > >> folders and files. If you do find the folders you may have difficulty
    > >> deleting the folders. Also run Check Disk on your server to see if it
    can
    > >> find/repair problems on the hard drive. There are also RK tools at the
    > > link
    > >> below such as diruse that may be helpful in tracking down disk use.
    > >>
    > >> http://www.petri.co.il/download_free_reskit_tools.htm
    > >> http://support.microsoft.com/?kbid=320081 -- dealing with hard to
    delete
    > >> files
    > >>
    > >> "Brad E" <Brad E@discussions.microsoft.com> wrote in message
    > >> news:9E0A795F-662A-407A-ACEB-3A85BF6EA68A@microsoft.com...
    > >> >I was implementing security auditing on my w2k SBS server and i
    noticed
    > >> >that
    > >> > my d:> disk space started to diminish by about 100mb per minute.
    > > Thinking
    > >> > it
    > >> > was the audit policy, I turned it off. It carried on, so I
    disconnected
    > >> > the
    > >> > internet and it stopped! So, I did a netstat and found that my server
    > > was
    > >> > connected to 150.188.1.10:3835, 195.70.236.164: on various ports. I
    > >> > blocked
    > >> > these ports and ip address's. Went into task manager and found the
    > >> > following
    > >> > strange services: server.exe, syshosts.exe, WinSRV.exe, syshost.exe
    and
    > >> > SL14F2.tmp. I tried to stop all of them, but I was not allowed except
    > > for
    > >> > SL14F2.tmp. I ran Trend Anti-virus on all my workstations and server,
    > > with
    > >> > the latest pattern file. It came up with a few virus's which were
    > > deleted
    > >> > or
    > >> > quarantined. I then ran adaware, which found a few bits and pieces
    and
    > >> > removed them as well.
    > >> > As it stands now, my d:> is 55GB in size. 26.92GB is accounted for in
    > >> > files
    > >> > and i have 2.98GB free space. Where did 14GB go? I have searched with
    > >> > utilitities to no avail and have even done a attrib search in DOS.
    Has
    > >> > anyone
    > >> > got any ideas? Thanks for your time!
    > >>
    > >>
    > >
    > >
    >
    >
Ask a new question

Read More

Security Disk Space Servers Windows