Windows 2000 server hacked

I have a Windows 2000 server that was hacked. The OS partition is on a 4
gig drive. The OS and profiles take up about 1.5 gig. When I look at the
drive properties, it says I only have 80 mb free. That means someone is
storing almost 3 gig of stuff on my omputer. I have used every tool and
command line I can to find the data, but nothing will read the directory
structure. All attempts come back displaying just the data that was
original to the system. The hackers must have done something to the system
to hide" their data from anything that reads NTFS. I also cannot empty my
recycle bin. It tells me that one of the folders is not empty. When I look
at that folder nothing is in it.

Does anyone have an idea on how to access this data so I can find it and
delete it from my system. As of now, I am looking at the format/reload
method, but I would rather not do that.

Thanks in advance.
Rick

Rick Totedo wrote:

> I have a Windows 2000 server that was hacked. The OS partition is on a 4
> gig drive. The OS and profiles take up about 1.5 gig. When I look at the
> drive properties, it says I only have 80 mb free. That means someone is
> storing almost 3 gig of stuff on my omputer. I have used every tool and
> command line I can to find the data, but nothing will read the directory
> structure. All attempts come back displaying just the data that was
> original to the system. The hackers must have done something to the
> system
> to hide" their data from anything that reads NTFS. I also cannot empty my
> recycle bin. It tells me that one of the folders is not empty. When I
> look at that folder nothing is in it.
>
> Does anyone have an idea on how to access this data so I can find it and
> delete it from my system. As of now, I am looking at the format/reload
> method, but I would rather not do that.
>
> Thanks in advance.
> Rick

Sounds like you got hacked quite well.

1) First I would get a sniffer and log all connections to/from the server.
You will need this data if you are going to report the incident.

2) Honestly, for investigative purposes I would pull the disk out put it in
another system (preferably a lab system) as a second data (ie as a non
bootable disk) and see what is the the partition. There has been a huge
rise in Windows kernel "root" kits out there and it sound like you got one.

If you see all sorts of data you did not put there, I would save the disk
for evidence and contact the authorities.

Do you know how your system was hacked? What was on it? Was it on your DMZ?

-Im

Thanks for the info. As for taking out the disk, that will be difficult
because it is part of an array. I really don't know how it got hacked. We
are running a non routable address behind a Cisco 1750. There were no FTP
services. This machine is just a membered server on a domain. It's just a
file and print server. I will admit the security updates were behind about a
month so shame on me. It is tough to do anything on the drive because there
is no space. Somehow they hide there data using embedded characters in the
directory structure and I haven't been able to uncover it. I will keep
looking. I was hoping for a tool of some sort that would not "bypass" these
directories but I haven't found one yet.
--
Rick Totedo


"Rick Totedo" wrote:

> I have a Windows 2000 server that was hacked. The OS partition is on a 4
> gig drive. The OS and profiles take up about 1.5 gig. When I look at the
> drive properties, it says I only have 80 mb free. That means someone is
> storing almost 3 gig of stuff on my omputer. I have used every tool and
> command line I can to find the data, but nothing will read the directory
> structure. All attempts come back displaying just the data that was
> original to the system. The hackers must have done something to the system
> to hide" their data from anything that reads NTFS. I also cannot empty my
> recycle bin. It tells me that one of the folders is not empty. When I look
> at that folder nothing is in it.
>
> Does anyone have an idea on how to access this data so I can find it and
> delete it from my system. As of now, I am looking at the format/reload
> method, but I would rather not do that.
>
> Thanks in advance.
> Rick
>
>
>

Sorry, posted this to the wrong thread before.

Thanks for the info. As for taking out the disk, that will be difficult
because it is part of an array. I really don't know how it got hacked. We
are running a non routable address behind a Cisco 1750. There were no FTP
services. This machine is just a membered server on a domain. It's just a
file and print server. I will admit the security updates were behind about a
month so shame on me. It is tough to do anything on the drive because there
is no space. Somehow they hide there data using embedded characters in the
directory structure and I haven't been able to uncover it. I will keep
looking. I was hoping for a tool of some sort that would not "bypass" these
directories but I haven't found one yet.

--
Rick Totedo


"Imhotep" wrote:

> Rick Totedo wrote:
>
> > I have a Windows 2000 server that was hacked. The OS partition is on a 4
> > gig drive. The OS and profiles take up about 1.5 gig. When I look at the
> > drive properties, it says I only have 80 mb free. That means someone is
> > storing almost 3 gig of stuff on my omputer. I have used every tool and
> > command line I can to find the data, but nothing will read the directory
> > structure. All attempts come back displaying just the data that was
> > original to the system. The hackers must have done something to the
> > system
> > to hide" their data from anything that reads NTFS. I also cannot empty my
> > recycle bin. It tells me that one of the folders is not empty. When I
> > look at that folder nothing is in it.
> >
> > Does anyone have an idea on how to access this data so I can find it and
> > delete it from my system. As of now, I am looking at the format/reload
> > method, but I would rather not do that.
> >
> > Thanks in advance.
> > Rick
>
> Sounds like you got hacked quite well.
>
> 1) First I would get a sniffer and log all connections to/from the server.
> You will need this data if you are going to report the incident.
>
> 2) Honestly, for investigative purposes I would pull the disk out put it in
> another system (preferably a lab system) as a second data (ie as a non
> bootable disk) and see what is the the partition. There has been a huge
> rise in Windows kernel "root" kits out there and it sound like you got one.
>
> If you see all sorts of data you did not put there, I would save the disk
> for evidence and contact the authorities.
>
> Do you know how your system was hacked? What was on it? Was it on your DMZ?
>
> -Im
>

Download a copy of 'Knoppix' and boot off it, (its a bootCd Live distro)

you can then mount the drive read only and look arround with all the Unix
tools. which may give you less trouble.

-Nex6


Rick Totedo wrote:

> I have a Windows 2000 server that was hacked. The OS partition is on a 4
> gig drive. The OS and profiles take up about 1.5 gig. When I look at the
> drive properties, it says I only have 80 mb free. That means someone is
> storing almost 3 gig of stuff on my omputer. I have used every tool and
> command line I can to find the data, but nothing will read the directory
> structure. All attempts come back displaying just the data that was
> original to the system. The hackers must have done something to the
> system
> to hide" their data from anything that reads NTFS. I also cannot empty my
> recycle bin. It tells me that one of the folders is not empty. When I
> look at that folder nothing is in it.
>
> Does anyone have an idea on how to access this data so I can find it and
> delete it from my system. As of now, I am looking at the format/reload
> method, but I would rather not do that.
>
> Thanks in advance.
> Rick

You might want to take a look with Rootkit Revealer that
is available from www.sysinternals.com
However, it really does not sound like a root kit, as you
are being told the actual, near zero free space.

--
Roger Abell
Microsoft MVP (Windows Security)

"Rick Totedo" <RickTotedo@discussions.microsoft.com> wrote in message
news:00D91CC9-7802-4AC5-8A97-0041FDAFF36D@microsoft.com...
> Thanks for the info. As for taking out the disk, that will be difficult
> because it is part of an array. I really don't know how it got hacked.
We
> are running a non routable address behind a Cisco 1750. There were no FTP
> services. This machine is just a membered server on a domain. It's just
a
> file and print server. I will admit the security updates were behind
about a
> month so shame on me. It is tough to do anything on the drive because
there
> is no space. Somehow they hide there data using embedded characters in
the
> directory structure and I haven't been able to uncover it. I will keep
> looking. I was hoping for a tool of some sort that would not "bypass"
these
> directories but I haven't found one yet.
> --
> Rick Totedo
>
>
> "Rick Totedo" wrote:
>
> > I have a Windows 2000 server that was hacked. The OS partition is on a
4
> > gig drive. The OS and profiles take up about 1.5 gig. When I look at
the
> > drive properties, it says I only have 80 mb free. That means someone is
> > storing almost 3 gig of stuff on my omputer. I have used every tool and
> > command line I can to find the data, but nothing will read the directory
> > structure. All attempts come back displaying just the data that was
> > original to the system. The hackers must have done something to the
system
> > to hide" their data from anything that reads NTFS. I also cannot empty
my
> > recycle bin. It tells me that one of the folders is not empty. When I
look
> > at that folder nothing is in it.
> >
> > Does anyone have an idea on how to access this data so I can find it and
> > delete it from my system. As of now, I am looking at the format/reload
> > method, but I would rather not do that.
> >
> > Thanks in advance.
> > Rick
> >
> >
> >

Rick Totedo wrote:
> I have a Windows 2000 server that was hacked. The OS partition is on
> a 4 gig drive. The OS and profiles take up about 1.5 gig. When I
> look at the drive properties, it says I only have 80 mb free. That
> means someone is storing almost 3 gig of stuff on my omputer. I have
> used every tool and command line I can to find the data, but nothing
> will read the directory structure. All attempts come back displaying
> just the data that was original to the system. The hackers must have
> done something to the system to hide" their data from anything that
> reads NTFS. I also cannot empty my recycle bin. It tells me that
> one of the folders is not empty. When I look at that folder nothing
> is in it.
> Does anyone have an idea on how to access this data so I can find it
> and delete it from my system. As of now, I am looking at the
> format/reload method, but I would rather not do that.

GHOST the partition, use ghost viewer to look at the partition.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

If you have 1gb RAM, 1.5 GB swapfile, 1 x hyberfile etc that would go a long
way to accounting for it. Add in a full system dump & a service pack...

So, take a ghost image for post mortem, set the View /Options to show all
files including OS System & Hidden files then try using a search (start ->
Find) and look for files over 1MB. when finished sort the list descending
and well, things may not be too bad.

I hope you knew none of this already and it was just a quick scare :)
Otherwise... :(





"Rick Totedo" <rick@alg.cc> wrote in message
news:%23%23TNfrpdFHA.3712@TK2MSFTNGP09.phx.gbl...
>I have a Windows 2000 server that was hacked. The OS partition is on a 4
>gig drive. The OS and profiles take up about 1.5 gig. When I look at the
>drive properties, it says I only have 80 mb free. That means someone is
>storing almost 3 gig of stuff on my omputer. I have used every tool and
>command line I can to find the data, but nothing will read the directory
>structure. All attempts come back displaying just the data that was
>original to the system. The hackers must have done something to the system
>to hide" their data from anything that reads NTFS. I also cannot empty my
>recycle bin. It tells me that one of the folders is not empty. When I
>look at that folder nothing is in it.
>
> Does anyone have an idea on how to access this data so I can find it and
> delete it from my system. As of now, I am looking at the format/reload
> method, but I would rather not do that.
>
> Thanks in advance.
> Rick
>
>

There is a method to delete such files that may work.
Use the command prompt and
dir /X
to list the files by 8.3 file name then delete those.
Mind you, if you have been hacked... a clean install may be prefered.



"Rick Totedo" <RickTotedo@discussions.microsoft.com> wrote in message
news:5C31F7DE-BBBF-4153-BE4B-6DB90ABD7D74@microsoft.com...
> Sorry, posted this to the wrong thread before.
>
> Thanks for the info. As for taking out the disk, that will be difficult
> because it is part of an array. I really don't know how it got hacked.
> We
> are running a non routable address behind a Cisco 1750. There were no FTP
> services. This machine is just a membered server on a domain. It's just
> a
> file and print server. I will admit the security updates were behind
> about a
> month so shame on me. It is tough to do anything on the drive because
> there
> is no space. Somehow they hide there data using embedded characters in
> the
> directory structure and I haven't been able to uncover it. I will keep
> looking. I was hoping for a tool of some sort that would not "bypass"
> these
> directories but I haven't found one yet.
>
> --
> Rick Totedo
>
>
> "Imhotep" wrote:
>
>> Rick Totedo wrote:
>>
>> > I have a Windows 2000 server that was hacked. The OS partition is on a
>> > 4
>> > gig drive. The OS and profiles take up about 1.5 gig. When I look at
>> > the
>> > drive properties, it says I only have 80 mb free. That means someone
>> > is
>> > storing almost 3 gig of stuff on my omputer. I have used every tool
>> > and
>> > command line I can to find the data, but nothing will read the
>> > directory
>> > structure. All attempts come back displaying just the data that was
>> > original to the system. The hackers must have done something to the
>> > system
>> > to hide" their data from anything that reads NTFS. I also cannot empty
>> > my
>> > recycle bin. It tells me that one of the folders is not empty. When I
>> > look at that folder nothing is in it.
>> >
>> > Does anyone have an idea on how to access this data so I can find it
>> > and
>> > delete it from my system. As of now, I am looking at the format/reload
>> > method, but I would rather not do that.
>> >
>> > Thanks in advance.
>> > Rick
>>
>> Sounds like you got hacked quite well.
>>
>> 1) First I would get a sniffer and log all connections to/from the
>> server.
>> You will need this data if you are going to report the incident.
>>
>> 2) Honestly, for investigative purposes I would pull the disk out put it
>> in
>> another system (preferably a lab system) as a second data (ie as a non
>> bootable disk) and see what is the the partition. There has been a huge
>> rise in Windows kernel "root" kits out there and it sound like you got
>> one.
>>
>> If you see all sorts of data you did not put there, I would save the disk
>> for evidence and contact the authorities.
>>
>> Do you know how your system was hacked? What was on it? Was it on your
>> DMZ?
>>
>> -Im
>>

If you are looking at things with Explorer, have you changed its
setting so that it is showing hidden and system hidden files ??

--
Roger Abell
Microsoft MVP (Windows Security)

"Rick Totedo" <rick@alg.cc> wrote in message
news:%23%23TNfrpdFHA.3712@TK2MSFTNGP09.phx.gbl...
> I have a Windows 2000 server that was hacked. The OS partition is on a 4
> gig drive. The OS and profiles take up about 1.5 gig. When I look at the
> drive properties, it says I only have 80 mb free. That means someone is
> storing almost 3 gig of stuff on my omputer. I have used every tool and
> command line I can to find the data, but nothing will read the directory
> structure. All attempts come back displaying just the data that was
> original to the system. The hackers must have done something to the
system
> to hide" their data from anything that reads NTFS. I also cannot empty my
> recycle bin. It tells me that one of the folders is not empty. When I
look
> at that folder nothing is in it.
>
> Does anyone have an idea on how to access this data so I can find it and
> delete it from my system. As of now, I am looking at the format/reload
> method, but I would rather not do that.
>
> Thanks in advance.
> Rick
>
>

That is along my line of thought.
4 gigs is pretty small these days for the boot partition.

--
Roger Abell
Microsoft MVP (Windows Security)

"Mercury" <me@spam.com> wrote in message
news:d9bj4k$tg1$1@lust.ihug.co.nz...
> If you have 1gb RAM, 1.5 GB swapfile, 1 x hyberfile etc that would go a
long
> way to accounting for it. Add in a full system dump & a service pack...
>
> So, take a ghost image for post mortem, set the View /Options to show all
> files including OS System & Hidden files then try using a search (start ->
> Find) and look for files over 1MB. when finished sort the list descending
> and well, things may not be too bad.
>
> I hope you knew none of this already and it was just a quick scare :)
> Otherwise... :(
>
>
>
>
>
> "Rick Totedo" <rick@alg.cc> wrote in message
> news:%23%23TNfrpdFHA.3712@TK2MSFTNGP09.phx.gbl...
> >I have a Windows 2000 server that was hacked. The OS partition is on a 4
> >gig drive. The OS and profiles take up about 1.5 gig. When I look at
the
> >drive properties, it says I only have 80 mb free. That means someone is
> >storing almost 3 gig of stuff on my omputer. I have used every tool and
> >command line I can to find the data, but nothing will read the directory
> >structure. All attempts come back displaying just the data that was
> >original to the system. The hackers must have done something to the
system
> >to hide" their data from anything that reads NTFS. I also cannot empty
my
> >recycle bin. It tells me that one of the folders is not empty. When I
> >look at that folder nothing is in it.
> >
> > Does anyone have an idea on how to access this data so I can find it and
> > delete it from my system. As of now, I am looking at the format/reload
> > method, but I would rather not do that.
> >
> > Thanks in advance.
> > Rick
> >
> >
>
>

Mercury wrote:

> There is a method to delete such files that may work.
> Use the command prompt and
> dir /X
> to list the files by 8.3 file name then delete those.
> Mind you, if you have been hacked... a clean install may be prefered.
>
>
>
> "Rick Totedo" <RickTotedo@discussions.microsoft.com> wrote in message
> news:5C31F7DE-BBBF-4153-BE4B-6DB90ABD7D74@microsoft.com...
>> Sorry, posted this to the wrong thread before.
>>
>> Thanks for the info. As for taking out the disk, that will be difficult
>> because it is part of an array. I really don't know how it got hacked.
>> We
>> are running a non routable address behind a Cisco 1750. There were no
>> FTP
>> services. This machine is just a membered server on a domain. It's just
>> a
>> file and print server. I will admit the security updates were behind
>> about a
>> month so shame on me. It is tough to do anything on the drive because
>> there
>> is no space. Somehow they hide there data using embedded characters in
>> the
>> directory structure and I haven't been able to uncover it. I will keep
>> looking. I was hoping for a tool of some sort that would not "bypass"
>> these
>> directories but I haven't found one yet.
>>
>> --
>> Rick Totedo
>>
>>
>> "Imhotep" wrote:
>>
>>> Rick Totedo wrote:
>>>
>>> > I have a Windows 2000 server that was hacked. The OS partition is on
>>> > a 4
>>> > gig drive. The OS and profiles take up about 1.5 gig. When I look at
>>> > the
>>> > drive properties, it says I only have 80 mb free. That means someone
>>> > is
>>> > storing almost 3 gig of stuff on my omputer. I have used every tool
>>> > and
>>> > command line I can to find the data, but nothing will read the
>>> > directory
>>> > structure. All attempts come back displaying just the data that was
>>> > original to the system. The hackers must have done something to the
>>> > system
>>> > to hide" their data from anything that reads NTFS. I also cannot
>>> > empty my
>>> > recycle bin. It tells me that one of the folders is not empty. When
>>> > I look at that folder nothing is in it.
>>> >
>>> > Does anyone have an idea on how to access this data so I can find it
>>> > and
>>> > delete it from my system. As of now, I am looking at the
>>> > format/reload method, but I would rather not do that.
>>> >
>>> > Thanks in advance.
>>> > Rick
>>>
>>> Sounds like you got hacked quite well.
>>>
>>> 1) First I would get a sniffer and log all connections to/from the
>>> server.
>>> You will need this data if you are going to report the incident.
>>>
>>> 2) Honestly, for investigative purposes I would pull the disk out put it
>>> in
>>> another system (preferably a lab system) as a second data (ie as a non
>>> bootable disk) and see what is the the partition. There has been a huge
>>> rise in Windows kernel "root" kits out there and it sound like you got
>>> one.
>>>
>>> If you see all sorts of data you did not put there, I would save the
>>> disk for evidence and contact the authorities.
>>>
>>> Do you know how your system was hacked? What was on it? Was it on your
>>> DMZ?
>>>
>>> -Im
>>>

If he truely does have a "root" kit it will not matter much....As he is
hacked quite well...

-Im

Yes, I did change the files to display both hidden and system files. I know
the boot partition seems small, but the swap file is on the other drives and
the data on this drive was around 1.5 gig for well over a year. It just
started to grow this last month. It sounds like the best thing would be to
nuke and install fresh.

Thanks for all the tips and help.
Rick
--
Rick Totedo


"Roger Abell" wrote:

> If you are looking at things with Explorer, have you changed its
> setting so that it is showing hidden and system hidden files ??
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
>
> "Rick Totedo" <rick@alg.cc> wrote in message
> news:%23%23TNfrpdFHA.3712@TK2MSFTNGP09.phx.gbl...
> > I have a Windows 2000 server that was hacked. The OS partition is on a 4
> > gig drive. The OS and profiles take up about 1.5 gig. When I look at the
> > drive properties, it says I only have 80 mb free. That means someone is
> > storing almost 3 gig of stuff on my omputer. I have used every tool and
> > command line I can to find the data, but nothing will read the directory
> > structure. All attempts come back displaying just the data that was
> > original to the system. The hackers must have done something to the
> system
> > to hide" their data from anything that reads NTFS. I also cannot empty my
> > recycle bin. It tells me that one of the folders is not empty. When I
> look
> > at that folder nothing is in it.
> >
> > Does anyone have an idea on how to access this data so I can find it and
> > delete it from my system. As of now, I am looking at the format/reload
> > method, but I would rather not do that.
> >
> > Thanks in advance.
> > Rick
> >
> >
>
>
>

Well, with 1gb of ram (? 512 maybe), a 4gb partition, a swap file, a service
pack or two, a hyberfile he won't have much free disc space. It could be
something quite trivial too...




"Imhotep" <NoSpam@NoThanks.com> wrote in message
news:uEiue.28$8o.13@fed1read03...
> Mercury wrote:
>
>> There is a method to delete such files that may work.
>> Use the command prompt and
>> dir /X
>> to list the files by 8.3 file name then delete those.
>> Mind you, if you have been hacked... a clean install may be prefered.
>>
>>
>>
>> "Rick Totedo" <RickTotedo@discussions.microsoft.com> wrote in message
>> news:5C31F7DE-BBBF-4153-BE4B-6DB90ABD7D74@microsoft.com...
>>> Sorry, posted this to the wrong thread before.
>>>
>>> Thanks for the info. As for taking out the disk, that will be difficult
>>> because it is part of an array. I really don't know how it got hacked.
>>> We
>>> are running a non routable address behind a Cisco 1750. There were no
>>> FTP
>>> services. This machine is just a membered server on a domain. It's
>>> just
>>> a
>>> file and print server. I will admit the security updates were behind
>>> about a
>>> month so shame on me. It is tough to do anything on the drive because
>>> there
>>> is no space. Somehow they hide there data using embedded characters in
>>> the
>>> directory structure and I haven't been able to uncover it. I will keep
>>> looking. I was hoping for a tool of some sort that would not "bypass"
>>> these
>>> directories but I haven't found one yet.
>>>
>>> --
>>> Rick Totedo
>>>
>>>
>>> "Imhotep" wrote:
>>>
>>>> Rick Totedo wrote:
>>>>
>>>> > I have a Windows 2000 server that was hacked. The OS partition is on
>>>> > a 4
>>>> > gig drive. The OS and profiles take up about 1.5 gig. When I look
>>>> > at
>>>> > the
>>>> > drive properties, it says I only have 80 mb free. That means someone
>>>> > is
>>>> > storing almost 3 gig of stuff on my omputer. I have used every tool
>>>> > and
>>>> > command line I can to find the data, but nothing will read the
>>>> > directory
>>>> > structure. All attempts come back displaying just the data that was
>>>> > original to the system. The hackers must have done something to the
>>>> > system
>>>> > to hide" their data from anything that reads NTFS. I also cannot
>>>> > empty my
>>>> > recycle bin. It tells me that one of the folders is not empty. When
>>>> > I look at that folder nothing is in it.
>>>> >
>>>> > Does anyone have an idea on how to access this data so I can find it
>>>> > and
>>>> > delete it from my system. As of now, I am looking at the
>>>> > format/reload method, but I would rather not do that.
>>>> >
>>>> > Thanks in advance.
>>>> > Rick
>>>>
>>>> Sounds like you got hacked quite well.
>>>>
>>>> 1) First I would get a sniffer and log all connections to/from the
>>>> server.
>>>> You will need this data if you are going to report the incident.
>>>>
>>>> 2) Honestly, for investigative purposes I would pull the disk out put
>>>> it
>>>> in
>>>> another system (preferably a lab system) as a second data (ie as a non
>>>> bootable disk) and see what is the the partition. There has been a huge
>>>> rise in Windows kernel "root" kits out there and it sound like you got
>>>> one.
>>>>
>>>> If you see all sorts of data you did not put there, I would save the
>>>> disk for evidence and contact the authorities.
>>>>
>>>> Do you know how your system was hacked? What was on it? Was it on your
>>>> DMZ?
>>>>
>>>> -Im
>>>>
>
> If he truely does have a "root" kit it will not matter much....As he is
> hacked quite well...
>
> -Im
>

I would first run Check Disk to see if it finds any problems. The first link
below is to several tools that you may want to try to use and also there are
Resource Kit tools that can check disk use. It may also help to check each
parent folder to see if you can narrow down to where this is happening.

http://www.snapfiles.com/shareware/system/swdisktools.html
http://www.petri.co.il/download_free_reskit_tools.htm

Keep in mind that if the computer is compromised that unless you fix the
problem which may mean a total reinstall that the problem may just come
right back. I would certainly do a full system scan for malware being sure
to use the latest definitions from your vendor and use free tools from
SysInternals to check for suspicious activity such as unexplained processes
or port use. Process Explorer, Autoruns, TCPView, filemon, and
RooKitRevealer can be particularly helpful. If you do find the computer
compromised be sure not to connect it back to the network until steps have
been taken to secure it which would at least include keeping current with
critical security updates, using strong passwords, disabling unneeded
services, using antivirus program that is kept current, and firewall that
ideally would start with default block all rules for inbound and outbound
traffic that you would configure to allow only authorized traffic. ---
Steve

http://www.sysinternals.com/Utilities/ProcessExplorer.html --- Process
Explorer and link to SysInternals
http://www.microsoft.com/technet/security/default.mspx --- TechNet
Security

"Rick Totedo" <rick@alg.cc> wrote in message
news:%23%23TNfrpdFHA.3712@TK2MSFTNGP09.phx.gbl...
>I have a Windows 2000 server that was hacked. The OS partition is on a 4
>gig drive. The OS and profiles take up about 1.5 gig. When I look at the
>drive properties, it says I only have 80 mb free. That means someone is
>storing almost 3 gig of stuff on my omputer. I have used every tool and
>command line I can to find the data, but nothing will read the directory
>structure. All attempts come back displaying just the data that was
>original to the system. The hackers must have done something to the system
>to hide" their data from anything that reads NTFS. I also cannot empty my
>recycle bin. It tells me that one of the folders is not empty. When I
>look at that folder nothing is in it.
>
> Does anyone have an idea on how to access this data so I can find it and
> delete it from my system. As of now, I am looking at the format/reload
> method, but I would rather not do that.
>
> Thanks in advance.
> Rick
>
>

if he is seeing accurate free space info then it IS something more trivial

--
Roger Abell

"Mercury" <me@spam.com> wrote in message
news:d9dsa9$db5$1@lust.ihug.co.nz...
> Well, with 1gb of ram (? 512 maybe), a 4gb partition, a swap file, a
service
> pack or two, a hyberfile he won't have much free disc space. It could be
> something quite trivial too...
>
>
>
>
> "Imhotep" <NoSpam@NoThanks.com> wrote in message
> news:uEiue.28$8o.13@fed1read03...
> > Mercury wrote:
> >
> >> There is a method to delete such files that may work.
> >> Use the command prompt and
> >> dir /X
> >> to list the files by 8.3 file name then delete those.
> >> Mind you, if you have been hacked... a clean install may be prefered.
> >>
> >>
> >>
> >> "Rick Totedo" <RickTotedo@discussions.microsoft.com> wrote in message
> >> news:5C31F7DE-BBBF-4153-BE4B-6DB90ABD7D74@microsoft.com...
> >>> Sorry, posted this to the wrong thread before.
> >>>
> >>> Thanks for the info. As for taking out the disk, that will be
difficult
> >>> because it is part of an array. I really don't know how it got
hacked.
> >>> We
> >>> are running a non routable address behind a Cisco 1750. There were no
> >>> FTP
> >>> services. This machine is just a membered server on a domain. It's
> >>> just
> >>> a
> >>> file and print server. I will admit the security updates were behind
> >>> about a
> >>> month so shame on me. It is tough to do anything on the drive because
> >>> there
> >>> is no space. Somehow they hide there data using embedded characters
in
> >>> the
> >>> directory structure and I haven't been able to uncover it. I will
keep
> >>> looking. I was hoping for a tool of some sort that would not "bypass"
> >>> these
> >>> directories but I haven't found one yet.
> >>>
> >>> --
> >>> Rick Totedo
> >>>
> >>>
> >>> "Imhotep" wrote:
> >>>
> >>>> Rick Totedo wrote:
> >>>>
> >>>> > I have a Windows 2000 server that was hacked. The OS partition is
on
> >>>> > a 4
> >>>> > gig drive. The OS and profiles take up about 1.5 gig. When I look
> >>>> > at
> >>>> > the
> >>>> > drive properties, it says I only have 80 mb free. That means
someone
> >>>> > is
> >>>> > storing almost 3 gig of stuff on my omputer. I have used every
tool
> >>>> > and
> >>>> > command line I can to find the data, but nothing will read the
> >>>> > directory
> >>>> > structure. All attempts come back displaying just the data that
was
> >>>> > original to the system. The hackers must have done something to
the
> >>>> > system
> >>>> > to hide" their data from anything that reads NTFS. I also cannot
> >>>> > empty my
> >>>> > recycle bin. It tells me that one of the folders is not empty.
When
> >>>> > I look at that folder nothing is in it.
> >>>> >
> >>>> > Does anyone have an idea on how to access this data so I can find
it
> >>>> > and
> >>>> > delete it from my system. As of now, I am looking at the
> >>>> > format/reload method, but I would rather not do that.
> >>>> >
> >>>> > Thanks in advance.
> >>>> > Rick
> >>>>
> >>>> Sounds like you got hacked quite well.
> >>>>
> >>>> 1) First I would get a sniffer and log all connections to/from the
> >>>> server.
> >>>> You will need this data if you are going to report the incident.
> >>>>
> >>>> 2) Honestly, for investigative purposes I would pull the disk out put
> >>>> it
> >>>> in
> >>>> another system (preferably a lab system) as a second data (ie as a
non
> >>>> bootable disk) and see what is the the partition. There has been a
huge
> >>>> rise in Windows kernel "root" kits out there and it sound like you
got
> >>>> one.
> >>>>
> >>>> If you see all sorts of data you did not put there, I would save the
> >>>> disk for evidence and contact the authorities.
> >>>>
> >>>> Do you know how your system was hacked? What was on it? Was it on
your
> >>>> DMZ?
> >>>>
> >>>> -Im
> >>>>
> >
> > If he truely does have a "root" kit it will not matter much....As he is
> > hacked quite well...
> >
> > -Im
> >
>
>

Someone's back in town :-)

--
Roger

Only for a month and then off to Alaska on July 19. --- Steve


"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%238ODq8BeFHA.2520@TK2MSFTNGP09.phx.gbl...
> Someone's back in town :-)
>
> --
> Roger
>
>

:-) cool - quite literally

--
Roger
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:%23WDIOpDeFHA.720@TK2MSFTNGP15.phx.gbl...
> Only for a month and then off to Alaska on July 19. --- Steve
>
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:%238ODq8BeFHA.2520@TK2MSFTNGP09.phx.gbl...
> > Someone's back in town :-)
> >
> > --
> > Roger
> >
> >
>
>

Yeah. About 48 - 68 at the time we will be there. I have not been out of my
backyard in quite a while however. I am more worried about bugs! How about
you - any R&R this summer? Are you out most of the summer like the rest of
the university or do you still work a regular schedule? --- Steve


"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uxLPtTHeFHA.1684@TK2MSFTNGP09.phx.gbl...
> :-) cool - quite literally
>
> --
> Roger
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:%23WDIOpDeFHA.720@TK2MSFTNGP15.phx.gbl...
>> Only for a month and then off to Alaska on July 19. --- Steve
>>
>>
>> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>> news:%238ODq8BeFHA.2520@TK2MSFTNGP09.phx.gbl...
>> > Someone's back in town :-)
>> >
>> > --
>> > Roger
>> >
>> >
>>
>>
>
>

I experienced a similar hack on one of my IIS servers, they managed to
upload a bunch of files to my drive, that could not be deleted. I used a
litle tool called TreeSizePro to check where the biggest files were hidde, it
sorts the content of the disk any why you like. It is from Jam Software, you
can download it from here: http://www.snapfiles.com/get/treesizepro.html
If that dos not show you any abnormalitys on your disk, then you will have
to keep looking, sorry.


"Rick Totedo" wrote:

> I have a Windows 2000 server that was hacked. The OS partition is on a 4
> gig drive. The OS and profiles take up about 1.5 gig. When I look at the
> drive properties, it says I only have 80 mb free. That means someone is
> storing almost 3 gig of stuff on my omputer. I have used every tool and
> command line I can to find the data, but nothing will read the directory
> structure. All attempts come back displaying just the data that was
> original to the system. The hackers must have done something to the system
> to hide" their data from anything that reads NTFS. I also cannot empty my
> recycle bin. It tells me that one of the folders is not empty. When I look
> at that folder nothing is in it.
>
> Does anyone have an idea on how to access this data so I can find it and
> delete it from my system. As of now, I am looking at the format/reload
> method, but I would rather not do that.
>
> Thanks in advance.
> Rick
>
>
>

On Tue, 21 Jun 2005 15:53:38 -0400, "Rick Totedo" <rick@alg.cc> wrote:

>I have a Windows 2000 server that was hacked. The OS partition is on a 4
>gig drive. The OS and profiles take up about 1.5 gig. When I look at the
>drive properties, it says I only have 80 mb free. That means someone is
>storing almost 3 gig of stuff on my omputer. I have used every tool and
>command line I can to find the data, but nothing will read the directory
>structure. All attempts come back displaying just the data that was
>original to the system. The hackers must have done something to the system
>to hide" their data from anything that reads NTFS. I also cannot empty my
>recycle bin. It tells me that one of the folders is not empty. When I look
>at that folder nothing is in it.
>
>Does anyone have an idea on how to access this data so I can find it and
>delete it from my system. As of now, I am looking at the format/reload
>method, but I would rather not do that.

Unfortunately, reformat and reinstall is what's called for. If you
got hacked, or if you believe you got hacked, and have no real
knowledge about exactly what was changed on the system, you have no
reasonable assumption that the system can be cleaned.

Jeff