Link to home
Create AccountLog in
Avatar of TechInNeedmm
TechInNeedmmFlag for Afghanistan

asked on

Windows 2000 Server: Running out of disk space all of a sudden

Hi,

I have a Windows 2000 Server system that is running out of HD space quickly. A couple of days ago it had Gigabytes free (can't remember how much) and in a matter of days, space if running out by the minute. I need to find out what is going on. Seems like there may be an infection from a virus. When I tried using housecall (trend's online virus check) the updates failed to install due to a file denying access to copy the files. I downloaded Trend's server protect enterprise suite and am scanning now. I don't know if this will continue to scan successfully, cause I am down to 70 MB of free space. Can someone please recommend something or instruct me if they heard of this before.q

This is urgent and needs to be rectified asap, so all help is appreciated. Please help!

Thanks in advance
Avatar of jkr
jkr
Flag of Germany image

Try http://www.sysinternals.com/ntw2k/source/filemon.shtml to track down which process is writing to your disk.
Hi TechInNeedmm,
You could try scanning with Symantec's online scanner.
Located here:
http://security.symantec.com/default.asp?productid=symhome&langid=ie&venid=sym

For some quick space, (hopefully enough to get your scan done) you could delete your temporary internet files, or set your page file to be smaller.

Hope this helps!

:o)

Bartender_1
Hi TechInNeedmm,
Check what kind of files thats recently writen and identify the source.. (just do a search)
If you have some kind of mailserver on the computer it might be a badmail issue, or if it is SQL or Exchange there might be logs that needs to be flushed.. (a backup malfunction?)
Great tool jkr!

Mattis
Avatar of TechInNeedmm

ASKER

jkr

I ran this for a little while and so far it is showing a lot of inetinfo.exe and explorer.exe entires.
This does not make any sense to me, can you please help me out?
Right now I am down to 30 MB free and the server is to a crawl :(
Urgent assistance please.

Thanks in advance

Here is what is produced for example:
2932      2:24:33 PM      inetinfo.exe:1040      WRITE      C:\Inetpub\mailroot\Queue\NTFS_c0e43a6601c411dd00001b7d.EML:PROPERTIES-LIVE      SUCCESS      Offset: 0 Length: 4      
2933      2:24:33 PM      inetinfo.exe:1040      WRITE      C:\Inetpub\mailroot\Queue\NTFS_c0e43a6601c411dd00001b7d.EML:PROPERTIES-LIVE      SUCCESS      Offset: 24 Length: 1024      
2934      2:24:33 PM      inetinfo.exe:1040      WRITE      C:\Inetpub\mailroot\Queue\NTFS_c0e43a6601c411dd00001b7d.EML:PROPERTIES-LIVE      SUCCESS      Offset: 1048 Length: 1024      
2935      2:24:33 PM      inetinfo.exe:1040      WRITE      C:\Inetpub\mailroot\Queue\NTFS_c0e43a6601c411dd00001b7d.EML:PROPERTIES-LIVE      SUCCESS      Offset: 2072 Length: 1024      
2936      2:24:33 PM      inetinfo.exe:1040      WRITE      C:\Inetpub\mailroot\Queue\NTFS_c0e43a6601c411dd00001b7d.EML:PROPERTIES-LIVE      SUCCESS      Offset: 3096 Length: 1024      
2937      2:24:33 PM      inetinfo.exe:1040      WRITE      C:\Inetpub\mailroot\Queue\NTFS_c0e43a6601c411dd00001b7d.EML:PROPERTIES-LIVE      SUCCESS      Offset: 4120 Length: 1024      
2938      2:24:33 PM      inetinfo.exe:1040      WRITE      C:\Inetpub\mailroot\Queue\NTFS_c0e43a6601c411dd00001b7d.EML:PROPERTIES-LIVE      SUCCESS      Offset: 5144 Length: 1024      
2939      2:24:33 PM      inetinfo.exe:1040      WRITE      C:\Inetpub\mailroot\Queue\NTFS_c0e43a6601c411dd00001b7d.EML:PROPERTIES-LIVE      SUCCESS      Offset: 6168 Length: 1024      
2940      2:24:33 PM      inetinfo.exe:1040      FLUSH      C:\Inetpub\mailroot\Queue\NTFS_c0e43a6601c411dd00001b7d.EML:PROPERTIES-LIVE      SUCCESS            
140      2:24:16 PM      inetinfo.exe:1040      READ       C:\Inetpub\mailroot\Queue\NTFS_93d3d12601c41124000047a2.EML:PROPERTIES-LIVE      SUCCESS      Offset: 0 Length: 24      
141      2:24:16 PM      inetinfo.exe:1040      QUERY INFORMATION      C:\Inetpub\mailroot\Queue\NTFS_93d3d12601c41124000047a2.EML:PROPERTIES-LIVE      SUCCESS      Length: 2072      
142      2:24:16 PM      inetinfo.exe:1040      READ      C:\Inetpub\mailroot\Queue\NTFS_93d3d12601c41124000047a2.EML:PROPERTIES-LIVE      SUCCESS      Offset: 24 Length: 1024      
143      2:24:16 PM      inetinfo.exe:1040      QUERY INFORMATION      C:\Inetpub\mailroot\Queue\NTFS_93d3d12601c41124000047a2.EML:PROPERTIES-LIVE      SUCCESS      Length: 2072      
144      2:24:16 PM      inetinfo.exe:1040      READ      C:\Inetpub\mailroot\Queue\NTFS_93d3d12601c41124000047a2.EML:PROPERTIES-LIVE      SUCCESS      Offset: 1048 Length: 1024      
145      2:24:16 PM      inetinfo.exe:1040      CLOSE      C:\Inetpub\mailroot\Queue\NTFS_93d3d12601c41124000047a2.EML:PROPERTIES-LIVE      SUCCESS            
146      2:24:16 PM      explorer.exe:1160      DIRECTORY      C:\Inetpub\mailroot\Queue      SUCCESS      FileBothDirectoryInformation      
147      2:24:16 PM      explorer.exe:1160      DIRECTORY      C:\Inetpub\mailroot\Queue      SUCCESS      FileBothDirectoryInformation      
148      2:24:16 PM      inetinfo.exe:1040      READ       C:      SUCCESS      Offset: 20389888 Length: 4096      
149      2:24:16 PM      explorer.exe:1160      DIRECTORY      C:\Inetpub\mailroot\Queue      SUCCESS      FileBothDirectoryInformation      
150      2:24:16 PM      explorer.exe:1160      DIRECTORY      C:\Inetpub\mailroot\Queue      SUCCESS      FileBothDirectoryInformation      
151      2:24:16 PM      inetinfo.exe:1040      QUERY INFORMATION      C:\Inetpub\mailroot\Queue\NTFS_fa04d2e201c411dd00001b93.EML      SUCCESS      FileBasicInformation      
152      2:24:16 PM      explorer.exe:1160      READ       C:      SUCCESS      Offset: 961945600 Length: 4096      
153      2:24:16 PM      inetinfo.exe:1040      OPEN      C:\Inetpub\mailroot\Queue\NTFS_93ec444c01c4102800004bba.EML      SUCCESS      Options: Open Sequential  Access: All      
154      2:24:16 PM      inetinfo.exe:1040      QUERY INFORMATION      C:\Inetpub\mailroot\Queue\NTFS_93ec444c01c4102800004bba.EML      SUCCESS      FileBasicInformation      
155      2:24:16 PM      explorer.exe:1160      READ       C:      SUCCESS      Offset: 778625024 Length: 4096      
156      2:24:16 PM      explorer.exe:1160      READ       C:      SUCCESS      Offset: 952356864 Length: 4096      
157      2:24:16 PM      explorer.exe:1160      READ       C:      SUCCESS      Offset: 1150644224 Length: 4096      
158      2:24:16 PM      explorer.exe:1160      READ       C:      SUCCESS      Offset: 1131929600 Length: 4096      
159      2:24:16 PM      explorer.exe:1160      READ       C:      SUCCESS      Offset: 1054867456 Length: 4096      
160      2:24:16 PM      explorer.exe:1160      READ       C:      SUCCESS      Offset: 768335872 Length: 4096      
Bartender_1

I tried the symantec online scanner last night, and it was taking hrs to complete in which during the scan i noticed 3 files were infected, however, I when the scan was completed in the morning, the browser was closed and therefore I was not able to see the results of the scan. Would there be a log from the scan saved somewhere?
mattisflones

I do not have a mailserver on this machine, so that is not the issue here :)
Did you note which files were infected?
If so, use the associated tool from the site listed below.
I would suspect you are infected with one of the latest variants of netsky or beagle virus.

Try downloading the fix for these viruses from here:

http://securityresponse.symantec.com/avcenter/tools.list.html

Run these on your system to clean it.

Once you've cleaned your system, you should (re)install a good anti-virus program with the latest virus definitions. and do a complete scan of your system again.

Hope this helps!

:o)

Bartender_1
The online utility did not display which files were infected nor did it specify what it was infected with. I was hoping for some kinda partial log (because it did not scan fully or maybe) so that I can perform the above mentioned. That is why I was asking if the utility produces a log somewhere on my system.

BTW, thanks for the prompt responses :)
Any more suggestions?
Please anyone !!!!!
HELP !!!
I'm unaware of any log that the online scanner uses.

If you run the beagle and netsky fixes on your system, they will do nothing to your system if it isn't infected with those viruses.

This is why I recommended you try them, typically, they only take about 10 minutes to run. (For most of the systems I've ever run them on anyways.)

With the partial report from Symantec, you know that your system is infected with something. You could try running the scanner again, and take note of the first virus it finds, then quit the scanner and download the fix for that virus.

:o)

Bartender_1
What the ? is happening to your C:\Inetpub\mailroot\Queue???
Try (if you do not depend on it) disabling the SMTP virtual server in IIS... You might have been attacked, or experiencing an error there..
Is the C:\Inetpub\mailroot\Queue full of files?

As a second try i would go with spybot and adaware to catch any maliciousware...
http://beam.to/spybotsd 
http://www.lavasoftusa.com/support/download/

And ever coolwebshredder
http://www.spychecker.com/program/coolwebshredder.html
Check the other folders in C:\Inetpub\mailroot to..
Thanks Bartender. I was doing that before you posted and was not able to read these posts because the server is offline. (ie. no internet connection). Basically, I ran removal tools in the past and yes, they do run pretty fast based on amount of files that are scanned....(continue)....

And in response to mattisflones comments:
(continued)......However, while it was scanning using the Netsky removal tool I noticed a strange thing whereby the C:\Inetpub\mailroot\Queue and C:\Inetpub\mailroot\Badmail are FULL of files. Do you know why these files and folders are here? I have an Exchange 2000 server offsite in another physical location and clients in this office are connected to that Exchange server via a VPN connection. So all SMTP services and e-mail mailboxes etc are resident on that offsite location. So this is not related to that correct? So, is it safe to assume that I DO NOT need these files? And if not, can I safely delete them as well as how do I keep this from happening? By disabling the IIS services?

I think because of this behaviour that my system is compromised.

Thanks in advance
Well.. its hard to say.. I can not claim to have full knowledge about all possible configs available, but as far as i can see the propable cause for the full badmail and queue is a relay error witch allows others to send mail to you witch is intended for forwarding witch is not happening.. ie: something you do not want and a IIS security fault..

I would say that you can delete those files, and enter IIS admin to disable the virtual SMTP and then get rid of the problem..
Try disabling the service first to see wether the files increase, if they do not youve found the problem and may delete the files..
Theres always a posibility that you are infected in some way by maliciousware that uses these folders to cover up their activity, and the files simply are not forwarded and deleted due to a error.. If so the files will continue to increase in volume.

The IIS Virtual SMTP does not affect the offsite Exhange or VPN connections in any way!

> Well.. its hard to say.. I can not claim to have full knowledge about all possible configs available, but as far as i can see the > propable cause for the full badmail and queue is a relay error witch allows others to send mail to you witch is intended for > forwarding witch is not happening.. ie: something you do not want and a IIS security fault..

Why would there be any mail in the badmail or queue folders? The only mail that is being used here is through an off site Exchange server through a VPN connection. Is it safe to assume that a trojan or worm etc was using my IIS server and SMTP protcol to perform illegal activities?

> I would say that you can delete those files, and enter IIS admin to disable the virtual SMTP and then get rid of the             > problem..
> Try disabling the service first to see wether the files increase, if they do not youve found the problem and may delete the    > files..

I disabled the IIS sevice and made it "Disabled" which in turn disabled the SMTP service as well. Seeing that I do not host a web server and mail is handled through a vpn at an office site location, I should be safe doing this.

> Theres always a posibility that you are infected in some way by maliciousware that uses these folders to cover up their       > activity, and the files simply are not forwarded and deleted due to a error.. If so the files will continue to increase in volume.

This is what I think as well but when I tried to run Pest Patrol and Adaware it will stop responding in the C:\inetpub\iissamples\sdk\asp\... or in the inetpub directory for a long period of time. Probably because of the amount of files in the badmail and queue directory and maybe an infection.
I scanned using Trend and all threats and infections have been eliminated.

> The IIS Virtual SMTP does not affect the offsite Exhange or VPN connections in any way!

That is why I disabled it and hope it does not "break" anything.

Again, so you say it is safe to delete the files in the "Badmail" and "Queue" folders?
When I say that these folders are huge, I really mean HUGE. When I try to go into these folders via Windows Explorer the program stops responding. However, I can access these folders via command prompt. This is the way I will have to delete all the contents of the "BadMail" and "Queue" folders without damaging the inetpub directory structure.

ASKER CERTIFIED SOLUTION
Avatar of mattisflones
mattisflones
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
> PS: if you have any SMTP baset websitemailfunctions on this server they might depend on the virtual SMTP..

I am not sure if i get this
BTW thanks for the prompt responses and I have rewarded u full credit. (500 pts)

How to I reward and grant points to jkr as well?
without that utility (filemon) I would have spent more time on this issue.

Thanks!
:-) Glad we could help..  I agree that it would be hard to solve this without the filemon results..

To split points between experts you can follow this guide:
https://www.experts-exchange.com/Miscellaneous/help.jsp#hi19
But thats to late when you have accepted a answer..
Your options for rewarding jkr is to open a new question in this topic area with points for him, or you can write a request here:
https://www.experts-exchange.com/Community_Support/ 
And ask the moderators to open the question so you can redistribute points.. (remember to include a link to this Q)
What i was thinking of with the webmail functions was if you have some kind of web app on the IIS that create mails from ex: forms in a webpage... these functions often rely on the built in IIS SMTP..
Yeah, i know, i accepted your answer with full points. This was intended, beacause you "stuck" around and helped me through this problem till the end. Thanks a lot. I really appreciate it :)

However, I also wanted to give jkr points as well, so I will open a new topic to give him points.

Again, Thanks!!!
Well, we cant leave someone behind.. right ;-) I`ve been in my share of trouble will help anyone i can.. i know how hard this can be, and a new pair of eyes might be the ones seen the problem before..

Youre welcome!