Sign in with
Sign up | Sign in
Your question

Strange Disk Utilization

Tags:
Last response: in Windows 2000/NT
Share
Anonymous
February 8, 2005 10:07:08 AM

Archived from groups: microsoft.public.win2000.security (More info?)

One of our domain controllers running Windows 2000 Server has a disk drive
with a 25.6 GB capacity. My Computer shows that we only have 2.86 GB free on
this disk. Strangely enough, if I go through and total the size of all
directories and drives on this disk, I only come up with 6.6 GB of used space.
Is there any way to see if someone has compromised this server and installed
hidden files?
One of the directories on the disk has 358 subdirectories. Do blank
directories take up enough space on a disk to matter?

Thanks.
Anonymous
February 8, 2005 2:49:11 PM

Archived from groups: microsoft.public.win2000.security (More info?)

First be sure to run a full malware scan using the latest virus definition
from your publishers website and get a second opinion with something like
Sysclean and the matching pattern file from Trend Micro. Hopefully that
server has not been used for internet browsing but if it has scan for
parasites also. I would also use tools like Process Explorer, Pslist,
TCPview, and Autoruns to see if any unexplained processes or ports are being
used. It would be easiest to compare to a known clean like configured
computer. Some compromises like Root Kits are hard to detect and it may help
if you use Pslist to compare running processes shown locally to what is
found when you enumerate processes from another network computer.

Your computer may not be compromised however. I would run Check Disk on that
volume and try to browse the directories and drill down them to see if
anything interesting is found such as the one you mention with 358
subdirectories. The link below is to available resource kit tools that you
may want to use to further check out disk use. --- Steve

http://www.petri.co.il/download_free_reskit_tools.htm -- diruse and diskuse
for example.
http://www.sysinternals.com/ntw2k/freeware/procexp.shtm... -- Process
Explorer and other utilities from SysInternals.
http://www.trendmicro.com/download/dcs.asp -- Sysclean is a stand alone
tool that does not need to be installed.
http://www.trendmicro.com/download/pattern.asp -- pattern file in .zip.

"Molnir" <Molnir@discussions.microsoft.com> wrote in message
news:C252AC07-DDE2-4C24-A017-A1B128A1F738@microsoft.com...
> One of our domain controllers running Windows 2000 Server has a disk drive
> with a 25.6 GB capacity. My Computer shows that we only have 2.86 GB free
> on
> this disk. Strangely enough, if I go through and total the size of all
> directories and drives on this disk, I only come up with 6.6 GB of used
> space.
> Is there any way to see if someone has compromised this server and
> installed
> hidden files?
> One of the directories on the disk has 358 subdirectories. Do blank
> directories take up enough space on a disk to matter?
>
> Thanks.
Anonymous
February 8, 2005 3:11:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

"Steven L Umbach" wrote:

> First be sure to run a full malware scan using the latest virus definition
> from your publishers website and get a second opinion with something like
> Sysclean and the matching pattern file from Trend Micro. Hopefully that
> server has not been used for internet browsing but if it has scan for
> parasites also. I would also use tools like Process Explorer, Pslist,
> TCPview, and Autoruns to see if any unexplained processes or ports are being
> used. It would be easiest to compare to a known clean like configured
> computer. Some compromises like Root Kits are hard to detect and it may help
> if you use Pslist to compare running processes shown locally to what is
> found when you enumerate processes from another network computer.
>
> Your computer may not be compromised however. I would run Check Disk on that
> volume and try to browse the directories and drill down them to see if
> anything interesting is found such as the one you mention with 358
> subdirectories. The link below is to available resource kit tools that you
> may want to use to further check out disk use. --- Steve
>
> http://www.petri.co.il/download_free_reskit_tools.htm -- diruse and diskuse
> for example.
> http://www.sysinternals.com/ntw2k/freeware/procexp.shtm... -- Process
> Explorer and other utilities from SysInternals.
> http://www.trendmicro.com/download/dcs.asp -- Sysclean is a stand alone
> tool that does not need to be installed.
> http://www.trendmicro.com/download/pattern.asp -- pattern file in .zip.
>

I used diruse and dumped the results to a text file, then imported into
Excel. It looks like for whatever reason the properties of the Profiles
directory wasn't enumerating the size of the 350+ subdirectories correctly.
As far as I can tell, this directory is no longer used and all roaming
profiles are stored on a different machine.

Thanks for the help and peace of mind.
Anonymous
February 9, 2005 3:07:01 AM

Archived from groups: microsoft.public.win2000.security (More info?)

If the Server has been used for web browsing (not a good idea), consider
purging all temp files and browser cache regularly.

Remember to turn on all the "Show hidden .. " Windows Explorer options to be
able to navigate all available folders.

Hope this helps. Do let us know. Thanks!


"Molnir" wrote:

> One of our domain controllers running Windows 2000 Server has a disk drive
> with a 25.6 GB capacity. My Computer shows that we only have 2.86 GB free on
> this disk. Strangely enough, if I go through and total the size of all
> directories and drives on this disk, I only come up with 6.6 GB of used space.
> Is there any way to see if someone has compromised this server and installed
> hidden files?
> One of the directories on the disk has 358 subdirectories. Do blank
> directories take up enough space on a disk to matter?
>
> Thanks.
!