Solved

Windows 2000 Server: Running out of disk space all of a sudden

Posted on 2004-03-24
22
1,742 Views
Last Modified: 2010-04-12
Hi,

I have a Windows 2000 Server system that is running out of HD space quickly. A couple of days ago it had Gigabytes free (can't remember how much) and in a matter of days, space if running out by the minute. I need to find out what is going on. Seems like there may be an infection from a virus. When I tried using housecall (trend's online virus check) the updates failed to install due to a file denying access to copy the files. I downloaded Trend's server protect enterprise suite and am scanning now. I don't know if this will continue to scan successfully, cause I am down to 70 MB of free space. Can someone please recommend something or instruct me if they heard of this before.q

This is urgent and needs to be rectified asap, so all help is appreciated. Please help!

Thanks in advance
0
Comment
Question by:TechInNeedmm
  • 10
  • 8
  • 3
  • +1
22 Comments
 
LVL 86

Expert Comment

by:jkr
Comment Utility
Try http://www.sysinternals.com/ntw2k/source/filemon.shtml to track down which process is writing to your disk.
0
 
LVL 22

Expert Comment

by:Bartender_1
Comment Utility
Hi TechInNeedmm,
You could try scanning with Symantec's online scanner.
Located here:
http://security.symantec.com/default.asp?productid=symhome&langid=ie&venid=sym

For some quick space, (hopefully enough to get your scan done) you could delete your temporary internet files, or set your page file to be smaller.

Hope this helps!

:o)

Bartender_1
0
 
LVL 15

Expert Comment

by:mattisflones
Comment Utility
Hi TechInNeedmm,
Check what kind of files thats recently writen and identify the source.. (just do a search)
If you have some kind of mailserver on the computer it might be a badmail issue, or if it is SQL or Exchange there might be logs that needs to be flushed.. (a backup malfunction?)
Great tool jkr!

Mattis
0
 

Author Comment

by:TechInNeedmm
Comment Utility
jkr

I ran this for a little while and so far it is showing a lot of inetinfo.exe and explorer.exe entires.
This does not make any sense to me, can you please help me out?
Right now I am down to 30 MB free and the server is to a crawl :(
Urgent assistance please.

Thanks in advance

Here is what is produced for example:
2932      2:24:33 PM      inetinfo.exe:1040      WRITE      C:\Inetpub\mailroot\Queue\NTFS_c0e43a6601c411dd00001b7d.EML:PROPERTIES-LIVE      SUCCESS      Offset: 0 Length: 4      
2933      2:24:33 PM      inetinfo.exe:1040      WRITE      C:\Inetpub\mailroot\Queue\NTFS_c0e43a6601c411dd00001b7d.EML:PROPERTIES-LIVE      SUCCESS      Offset: 24 Length: 1024      
2934      2:24:33 PM      inetinfo.exe:1040      WRITE      C:\Inetpub\mailroot\Queue\NTFS_c0e43a6601c411dd00001b7d.EML:PROPERTIES-LIVE      SUCCESS      Offset: 1048 Length: 1024      
2935      2:24:33 PM      inetinfo.exe:1040      WRITE      C:\Inetpub\mailroot\Queue\NTFS_c0e43a6601c411dd00001b7d.EML:PROPERTIES-LIVE      SUCCESS      Offset: 2072 Length: 1024      
2936      2:24:33 PM      inetinfo.exe:1040      WRITE      C:\Inetpub\mailroot\Queue\NTFS_c0e43a6601c411dd00001b7d.EML:PROPERTIES-LIVE      SUCCESS      Offset: 3096 Length: 1024      
2937      2:24:33 PM      inetinfo.exe:1040      WRITE      C:\Inetpub\mailroot\Queue\NTFS_c0e43a6601c411dd00001b7d.EML:PROPERTIES-LIVE      SUCCESS      Offset: 4120 Length: 1024      
2938      2:24:33 PM      inetinfo.exe:1040      WRITE      C:\Inetpub\mailroot\Queue\NTFS_c0e43a6601c411dd00001b7d.EML:PROPERTIES-LIVE      SUCCESS      Offset: 5144 Length: 1024      
2939      2:24:33 PM      inetinfo.exe:1040      WRITE      C:\Inetpub\mailroot\Queue\NTFS_c0e43a6601c411dd00001b7d.EML:PROPERTIES-LIVE      SUCCESS      Offset: 6168 Length: 1024      
2940      2:24:33 PM      inetinfo.exe:1040      FLUSH      C:\Inetpub\mailroot\Queue\NTFS_c0e43a6601c411dd00001b7d.EML:PROPERTIES-LIVE      SUCCESS            
140      2:24:16 PM      inetinfo.exe:1040      READ       C:\Inetpub\mailroot\Queue\NTFS_93d3d12601c41124000047a2.EML:PROPERTIES-LIVE      SUCCESS      Offset: 0 Length: 24      
141      2:24:16 PM      inetinfo.exe:1040      QUERY INFORMATION      C:\Inetpub\mailroot\Queue\NTFS_93d3d12601c41124000047a2.EML:PROPERTIES-LIVE      SUCCESS      Length: 2072      
142      2:24:16 PM      inetinfo.exe:1040      READ      C:\Inetpub\mailroot\Queue\NTFS_93d3d12601c41124000047a2.EML:PROPERTIES-LIVE      SUCCESS      Offset: 24 Length: 1024      
143      2:24:16 PM      inetinfo.exe:1040      QUERY INFORMATION      C:\Inetpub\mailroot\Queue\NTFS_93d3d12601c41124000047a2.EML:PROPERTIES-LIVE      SUCCESS      Length: 2072      
144      2:24:16 PM      inetinfo.exe:1040      READ      C:\Inetpub\mailroot\Queue\NTFS_93d3d12601c41124000047a2.EML:PROPERTIES-LIVE      SUCCESS      Offset: 1048 Length: 1024      
145      2:24:16 PM      inetinfo.exe:1040      CLOSE      C:\Inetpub\mailroot\Queue\NTFS_93d3d12601c41124000047a2.EML:PROPERTIES-LIVE      SUCCESS            
146      2:24:16 PM      explorer.exe:1160      DIRECTORY      C:\Inetpub\mailroot\Queue      SUCCESS      FileBothDirectoryInformation      
147      2:24:16 PM      explorer.exe:1160      DIRECTORY      C:\Inetpub\mailroot\Queue      SUCCESS      FileBothDirectoryInformation      
148      2:24:16 PM      inetinfo.exe:1040      READ       C:      SUCCESS      Offset: 20389888 Length: 4096      
149      2:24:16 PM      explorer.exe:1160      DIRECTORY      C:\Inetpub\mailroot\Queue      SUCCESS      FileBothDirectoryInformation      
150      2:24:16 PM      explorer.exe:1160      DIRECTORY      C:\Inetpub\mailroot\Queue      SUCCESS      FileBothDirectoryInformation      
151      2:24:16 PM      inetinfo.exe:1040      QUERY INFORMATION      C:\Inetpub\mailroot\Queue\NTFS_fa04d2e201c411dd00001b93.EML      SUCCESS      FileBasicInformation      
152      2:24:16 PM      explorer.exe:1160      READ       C:      SUCCESS      Offset: 961945600 Length: 4096      
153      2:24:16 PM      inetinfo.exe:1040      OPEN      C:\Inetpub\mailroot\Queue\NTFS_93ec444c01c4102800004bba.EML      SUCCESS      Options: Open Sequential  Access: All      
154      2:24:16 PM      inetinfo.exe:1040      QUERY INFORMATION      C:\Inetpub\mailroot\Queue\NTFS_93ec444c01c4102800004bba.EML      SUCCESS      FileBasicInformation      
155      2:24:16 PM      explorer.exe:1160      READ       C:      SUCCESS      Offset: 778625024 Length: 4096      
156      2:24:16 PM      explorer.exe:1160      READ       C:      SUCCESS      Offset: 952356864 Length: 4096      
157      2:24:16 PM      explorer.exe:1160      READ       C:      SUCCESS      Offset: 1150644224 Length: 4096      
158      2:24:16 PM      explorer.exe:1160      READ       C:      SUCCESS      Offset: 1131929600 Length: 4096      
159      2:24:16 PM      explorer.exe:1160      READ       C:      SUCCESS      Offset: 1054867456 Length: 4096      
160      2:24:16 PM      explorer.exe:1160      READ       C:      SUCCESS      Offset: 768335872 Length: 4096      
0
 

Author Comment

by:TechInNeedmm
Comment Utility
Bartender_1

I tried the symantec online scanner last night, and it was taking hrs to complete in which during the scan i noticed 3 files were infected, however, I when the scan was completed in the morning, the browser was closed and therefore I was not able to see the results of the scan. Would there be a log from the scan saved somewhere?
0
 

Author Comment

by:TechInNeedmm
Comment Utility
mattisflones

I do not have a mailserver on this machine, so that is not the issue here :)
0
 
LVL 22

Expert Comment

by:Bartender_1
Comment Utility
Did you note which files were infected?
If so, use the associated tool from the site listed below.
I would suspect you are infected with one of the latest variants of netsky or beagle virus.

Try downloading the fix for these viruses from here:

http://securityresponse.symantec.com/avcenter/tools.list.html

Run these on your system to clean it.

Once you've cleaned your system, you should (re)install a good anti-virus program with the latest virus definitions. and do a complete scan of your system again.

Hope this helps!

:o)

Bartender_1
0
 

Author Comment

by:TechInNeedmm
Comment Utility
The online utility did not display which files were infected nor did it specify what it was infected with. I was hoping for some kinda partial log (because it did not scan fully or maybe) so that I can perform the above mentioned. That is why I was asking if the utility produces a log somewhere on my system.

BTW, thanks for the prompt responses :)
Any more suggestions?
0
 

Author Comment

by:TechInNeedmm
Comment Utility
Please anyone !!!!!
HELP !!!
0
 
LVL 22

Expert Comment

by:Bartender_1
Comment Utility
I'm unaware of any log that the online scanner uses.

If you run the beagle and netsky fixes on your system, they will do nothing to your system if it isn't infected with those viruses.

This is why I recommended you try them, typically, they only take about 10 minutes to run. (For most of the systems I've ever run them on anyways.)

With the partial report from Symantec, you know that your system is infected with something. You could try running the scanner again, and take note of the first virus it finds, then quit the scanner and download the fix for that virus.

:o)

Bartender_1
0
 
LVL 15

Expert Comment

by:mattisflones
Comment Utility
What the ? is happening to your C:\Inetpub\mailroot\Queue???
Try (if you do not depend on it) disabling the SMTP virtual server in IIS... You might have been attacked, or experiencing an error there..
Is the C:\Inetpub\mailroot\Queue full of files?

As a second try i would go with spybot and adaware to catch any maliciousware...
http://beam.to/spybotsd
http://www.lavasoftusa.com/support/download/

And ever coolwebshredder
http://www.spychecker.com/program/coolwebshredder.html
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 15

Expert Comment

by:mattisflones
Comment Utility
Check the other folders in C:\Inetpub\mailroot to..
0
 

Author Comment

by:TechInNeedmm
Comment Utility
Thanks Bartender. I was doing that before you posted and was not able to read these posts because the server is offline. (ie. no internet connection). Basically, I ran removal tools in the past and yes, they do run pretty fast based on amount of files that are scanned....(continue)....

And in response to mattisflones comments:
(continued)......However, while it was scanning using the Netsky removal tool I noticed a strange thing whereby the C:\Inetpub\mailroot\Queue and C:\Inetpub\mailroot\Badmail are FULL of files. Do you know why these files and folders are here? I have an Exchange 2000 server offsite in another physical location and clients in this office are connected to that Exchange server via a VPN connection. So all SMTP services and e-mail mailboxes etc are resident on that offsite location. So this is not related to that correct? So, is it safe to assume that I DO NOT need these files? And if not, can I safely delete them as well as how do I keep this from happening? By disabling the IIS services?

I think because of this behaviour that my system is compromised.

Thanks in advance
0
 
LVL 15

Expert Comment

by:mattisflones
Comment Utility
Well.. its hard to say.. I can not claim to have full knowledge about all possible configs available, but as far as i can see the propable cause for the full badmail and queue is a relay error witch allows others to send mail to you witch is intended for forwarding witch is not happening.. ie: something you do not want and a IIS security fault..

I would say that you can delete those files, and enter IIS admin to disable the virtual SMTP and then get rid of the problem..
Try disabling the service first to see wether the files increase, if they do not youve found the problem and may delete the files..
Theres always a posibility that you are infected in some way by maliciousware that uses these folders to cover up their activity, and the files simply are not forwarded and deleted due to a error.. If so the files will continue to increase in volume.

The IIS Virtual SMTP does not affect the offsite Exhange or VPN connections in any way!

0
 

Author Comment

by:TechInNeedmm
Comment Utility
> Well.. its hard to say.. I can not claim to have full knowledge about all possible configs available, but as far as i can see the > propable cause for the full badmail and queue is a relay error witch allows others to send mail to you witch is intended for > forwarding witch is not happening.. ie: something you do not want and a IIS security fault..

Why would there be any mail in the badmail or queue folders? The only mail that is being used here is through an off site Exchange server through a VPN connection. Is it safe to assume that a trojan or worm etc was using my IIS server and SMTP protcol to perform illegal activities?

> I would say that you can delete those files, and enter IIS admin to disable the virtual SMTP and then get rid of the             > problem..
> Try disabling the service first to see wether the files increase, if they do not youve found the problem and may delete the    > files..

I disabled the IIS sevice and made it "Disabled" which in turn disabled the SMTP service as well. Seeing that I do not host a web server and mail is handled through a vpn at an office site location, I should be safe doing this.

> Theres always a posibility that you are infected in some way by maliciousware that uses these folders to cover up their       > activity, and the files simply are not forwarded and deleted due to a error.. If so the files will continue to increase in volume.

This is what I think as well but when I tried to run Pest Patrol and Adaware it will stop responding in the C:\inetpub\iissamples\sdk\asp\... or in the inetpub directory for a long period of time. Probably because of the amount of files in the badmail and queue directory and maybe an infection.
I scanned using Trend and all threats and infections have been eliminated.

> The IIS Virtual SMTP does not affect the offsite Exhange or VPN connections in any way!

That is why I disabled it and hope it does not "break" anything.

Again, so you say it is safe to delete the files in the "Badmail" and "Queue" folders?
When I say that these folders are huge, I really mean HUGE. When I try to go into these folders via Windows Explorer the program stops responding. However, I can access these folders via command prompt. This is the way I will have to delete all the contents of the "BadMail" and "Queue" folders without damaging the inetpub directory structure.

0
 
LVL 15

Accepted Solution

by:
mattisflones earned 500 total points
Comment Utility
"Is it safe to assume that a trojan or worm etc was using my IIS server and SMTP protcol to perform illegal activities?"
Yes, i think its safe to say so! As far as i have experienced the virtual SMTP of IIS is more trouble than joy, and i quit using it frontend because of its vaulnerability towards accacks and worms..

On the disabe.."I should be safe doing this", i`d say yes, i agree!

Youre right assuming that adaware and pest patrol will stop upon large amount of files, run them after you have deleted..

Yes, i would say youre safe deleting the files, i can not think in any way how this serviec/folders could be used for anything if you do not use it for external SMTP forwarding ie. sending mail directly to the internet and not through the Exchange.. (witch it sounds like you do not do..)
PS: if you have any SMTP baset websitemailfunctions on this server they might depend on the virtual SMTP..

You will not harm IIS in any way by deleting the files!
0
 

Author Comment

by:TechInNeedmm
Comment Utility
> PS: if you have any SMTP baset websitemailfunctions on this server they might depend on the virtual SMTP..

I am not sure if i get this
BTW thanks for the prompt responses and I have rewarded u full credit. (500 pts)

How to I reward and grant points to jkr as well?
without that utility (filemon) I would have spent more time on this issue.

Thanks!
0
 
LVL 15

Expert Comment

by:mattisflones
Comment Utility
:-) Glad we could help..  I agree that it would be hard to solve this without the filemon results..

To split points between experts you can follow this guide:
http://www.experts-exchange.com/Miscellaneous/help.jsp#hi19
But thats to late when you have accepted a answer..
Your options for rewarding jkr is to open a new question in this topic area with points for him, or you can write a request here:
http://www.experts-exchange.com/Community_Support/
And ask the moderators to open the question so you can redistribute points.. (remember to include a link to this Q)
0
 
LVL 15

Expert Comment

by:mattisflones
Comment Utility
What i was thinking of with the webmail functions was if you have some kind of web app on the IIS that create mails from ex: forms in a webpage... these functions often rely on the built in IIS SMTP..
0
 

Author Comment

by:TechInNeedmm
Comment Utility
Yeah, i know, i accepted your answer with full points. This was intended, beacause you "stuck" around and helped me through this problem till the end. Thanks a lot. I really appreciate it :)

However, I also wanted to give jkr points as well, so I will open a new topic to give him points.

Again, Thanks!!!
0
 

Author Comment

by:TechInNeedmm
Comment Utility
0
 
LVL 15

Expert Comment

by:mattisflones
Comment Utility
Well, we cant leave someone behind.. right ;-) I`ve been in my share of trouble will help anyone i can.. i know how hard this can be, and a new pair of eyes might be the ones seen the problem before..

Youre welcome!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now