Re: Windows 2000 server hacked

From: Shenan Stanley (newshelper_at_gmail.com)
Date: 06/22/05


Date: Wed, 22 Jun 2005 03:45:39 -0500

Rick Totedo wrote:
> I have a Windows 2000 server that was hacked. The OS partition is on
> a 4 gig drive. The OS and profiles take up about 1.5 gig. When I
> look at the drive properties, it says I only have 80 mb free. That
> means someone is storing almost 3 gig of stuff on my omputer. I have
> used every tool and command line I can to find the data, but nothing
> will read the directory structure. All attempts come back displaying
> just the data that was original to the system. The hackers must have
> done something to the system to hide" their data from anything that
> reads NTFS. I also cannot empty my recycle bin. It tells me that
> one of the folders is not empty. When I look at that folder nothing
> is in it.
> Does anyone have an idea on how to access this data so I can find it
> and delete it from my system. As of now, I am looking at the
> format/reload method, but I would rather not do that.

GHOST the partition, use ghost viewer to look at the partition.

-- 
Shenan Stanley
     MS-MVP
-- 
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html