| Author |
 Topic  |
|
redbrad0
Advanced Member
USA
3725 Posts |
 Posted - 12 July 2004 : 00:06:21
|
I got on one of the servers tonight and was just cleaning some things up when I noticed the C drive only had 20 GB of free space left. I knew this could not be the case so I starting going thru all the folders trying to pin down where the large file was. As you can see from the image below in C:\WINNT\system32\drivers\etc there is a dir for Control Panel which I know is not the location of this and if I right click on it tells me its 42.1 GB and if I double click on the file it takes me into my control panel. Does anyone have any idea on this?
 |
Brad
Oklahoma City Online Entertainment Guide
Oklahoma Event Tickets |
|
|
Nathan
Help Moderator
USA
7664 Posts |
Posted - 12 July 2004 : 03:57:35
|
Thats not even supposed to be there.
Right clik and go to explore, it says it has 3.3K files in it and 323 folders, what could those be. |
 Nathan Bales
CoreBoard | Active Users Download |
 |
|
|
HuwR
Forum Admin
United Kingdom
20600 Posts |
Posted - 12 July 2004 : 04:39:32
|
| sounds like someone has hacked into you server, use taskmanager to see if there is anything running that you do not recognise |
|
|
|
redbrad0
Advanced Member
USA
3725 Posts |
Posted - 12 July 2004 : 08:36:20
|
quote:
Originally posted by Nathan
Thats not even supposed to be there.
Right clik and go to explore, it says it has 3.3K files in it and 323 folders, what could those be.
If I right click on the file or double click on the file I get what looks like the control panel which you can see at this image below.
 |
Brad
Oklahoma City Online Entertainment Guide
Oklahoma Event Tickets |
|
|
|
HuwR
Forum Admin
United Kingdom
20600 Posts |
Posted - 12 July 2004 : 09:03:12
|
I still stick by my last statement, your server has been hacked.
The control panel does not physically exist, there is NO control panel directory, the control panel apps sit in system32 directory and are called *.cpl
the C:\WINNT\system32\drivers\etc directory should have very few files in it if any |
|
|
|
redbrad0
Advanced Member
USA
3725 Posts |
|
|
redbrad0
Advanced Member
USA
3725 Posts |
|
|
HuwR
Forum Admin
United Kingdom
20600 Posts |
Posted - 12 July 2004 : 13:09:42
|
i made my statement mainly because the C:\WINNT\system32\drivers\etc is quite often used as an ftp root by hackers who have managed to get in, although I can't see anything that looks out of place, it doesn't mean there isn't they could be hiding behind one of the svchost instances.
Also take a look in your registry and see if there is anything you don't recognise in the \run folders, and run through the service list to make sure nothing strange is there either |
|
|
|
HuwR
Forum Admin
United Kingdom
20600 Posts |
Posted - 12 July 2004 : 13:17:19
|
| There are also many Trojans which use this directory to drop their payloads into |
|
|
|
redbrad0
Advanced Member
USA
3725 Posts |
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 12 July 2004 : 18:37:38
|
Don't forget it is actually possible for programs "root kits" to completely hide themselves from the task manager too, so funny things often won't turn up there.
Use some of the tools over at sysinternals like filemon etc to see if you can see anything accessing that "file"
http://www.sysinternals.com/ntw2k/utilities.shtml |
Kiwihosting.Net - The Forum Hosting Specialists
|
|
|
|
redbrad0
Advanced Member
USA
3725 Posts |
|
|
redbrad0
Advanced Member
USA
3725 Posts |
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 12 July 2004 : 20:40:29
|
| rename the directory in the Command Window and remove everything after the word Panel. Then you should be able to open the directory using Explorer. |
|
|
|
gpctexas
Junior Member
320 Posts |
Posted - 12 July 2004 : 21:14:11
|
| MSN uses directories like that, right clicking them and clicking explore can get you into them too. At on on Win XP it can. |
ipgate 2.4.4 RC3
http://www.gpctexas.net/ipgate_v244.zip |
|
|
|
sr_erick
Senior Member
USA
1318 Posts |
Posted - 12 July 2004 : 23:13:58
|
| I renamed the directory in DOS. Wow for losts of junk in there. There must have been a trojan on there (that would explain such high bandwidth usage at that time) but it's been long removed. There are things in there having to do with speedtests to other countries, etc....lots of files and generally a lot of stuff. I'm sure there is a lot of pirated things in a lot of those folders as well. |
Erick
Snowmobile Fanatics
|
|
|
|
Topic |
|
Topic Locked
