HACKED!!!! Can't delete folders

H

Harrison Midkiff

Hello:

My W2K server running IIS 5.0 with FTP was hacked. Someone placed half a
dozen folders on the server and no matter what I do I can not delete them.
I tried taking ownership of them the normal way from Windows Explorer and
even used xcacls but still can get control of them. Even after a reboot I
can not get a hold of them. A few of the folder have strange characters in
them and spaces at the beginning. This is what look like:

<blank no name>
a
aa
ab
John Paul
.ÿÿ. ÿ. ÿ. .. 5.56.ÿ ÿ ÿ. ÿ. .
.ÿÿ ÿ.. 4.28.ÿÿÿÿÿ. .
.ÿÿÿÿ ÿ ÿ.. 21.57.ÿÿÿ ÿ ÿÿÿ.
.ÿ ÿÿ. ÿÿ ÿ. ÿÿ .. 23.7.ÿÿÿÿ .
.ÿÿ ÿÿ ÿ. ÿÿ. .. 2.93.ÿÿÿ. ÿÿÿ.

Does anyone know how I can blow the folders out?

Harrison Midkiff
 
D

Dave Patrick

From a command prompt try;

del \\.\Drive:\directory\filename
(Note: the period between \\ and \)

Also

dir /x
and try deleting them using their 8.3 short names.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Hello:
|
| My W2K server running IIS 5.0 with FTP was hacked. Someone placed half a
| dozen folders on the server and no matter what I do I can not delete them.
| I tried taking ownership of them the normal way from Windows Explorer and
| even used xcacls but still can get control of them. Even after a reboot I
| can not get a hold of them. A few of the folder have strange characters
in
| them and spaces at the beginning. This is what look like:
|
| <blank no name>
| a
| aa
| ab
| John Paul
| .ÿÿ. ÿ. ÿ. .. 5.56.ÿ ÿ ÿ. ÿ. .
| .ÿÿ ÿ.. 4.28.ÿÿÿÿÿ. .
| .ÿÿÿÿ ÿ ÿ.. 21.57.ÿÿÿ ÿ ÿÿÿ.
| .ÿ ÿÿ. ÿÿ ÿ. ÿÿ .. 23.7.ÿÿÿÿ .
| .ÿÿ ÿÿ ÿ. ÿÿ. .. 2.93.ÿÿÿ. ÿÿÿ.
|
| Does anyone know how I can blow the folders out?
|
| Harrison Midkiff
|
|
 
C

Crouchie1998

Have you tried renaming the folders & then deleting them?

What is the error you get when you try to delete the files?

What user rights do you have?

Crouchie1998
BA (HONS) MCP MCSE
 
C

Crouchie1998

How can you delete a directory with 8.3 filename?

The 3 is the extension like exe, com... Do folders have file extensions?
NO!!

Crouchie1998
BA (HONS) MCP MCSE
 
G

George Hester

Easily. All 8.3 file name means is that the name is restricted to 8 characters plus the extension of three. Hence C:\Program Files in 8.3 file name format is C:\PROGRA~1. This can be seen by going to the root (C:\) in the command prompt and type dir /x
 
G

George Hester

Probably access denied or not a folder or not found. This is very common for UNIX hacked Windows.
 
R

Rob Stow

Crouchie1998 said:
How can you delete a directory with 8.3 filename?

The 3 is the extension like exe, com... Do folders have file extensions?
NO!!

Crouchie1998
BA (HONS) MCP MCSE
Click to expand...

You claim to have an MCSE but you are so ignorant that you think
a folder name can't have an extension ?

A folder name can have any extension that the user chooses to
give it. And though .exe would be a pretty dumb extension to
tack onto the end of a folder's name, there is nothing preventing
anyone from doing so.

A few of the more common - and reasonable - cases of extensions
in folder names include
1.) .bak to indicate that a folder is a backup
2.) .old to indicate that a folder is a older version
3.) .000, .001, .002, et cetera. Typically when software tries
to create a folder but finds that name already in use, so it just
tacks on a number to differentiate the otherwise identically
named folders.
4.) .yyyymmdd, and variations thereof, where yyyy, mm, dd are
the year, month, and day of month. Often used in backup
situations to indicate the day of the backup.
 
J

Jason Tan

Hi,

Thanks for posting!

I understand that you cannot delete folders resident on Windows 2000
server. If I have misunderstood your concerns, please feel free to let me
know.

The MVPs have provided you several helpful methods. Please help me know the
results of them. Additionally, I would like to provide you with the
following method for your reference:

1. Start a command prompt with start->run->cmd.exe
2. Change to the directory below the one you're trying to delete. Now run
the dir command with the /x switch. What this switch does is allow you to
see the 8.3 short filenames for these folders and files. You can then use
this short filename to rmdir your foders.

Note: for the switches, please refer to rmdir /?

For more information, please refer to the following article:
120716 How to Remove Files with Reserved Names in Windows
http://support.microsoft.com/?id=120716

315226 How to Remove Files with Reserved Names in Windows XP
http://support.microsoft.com/?id=315226

If there is anything that is unclear, please feel free to let me know.

Thanks & Regards,

Jason Tan

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
H

Harrison Midkiff

George:

You're exactly right. I just can not do much of anything with the folders.
I was able to rename them, but I still couldn't delete them. If you have
any ideas on how to delete them I am all ears....

Harrison Midkiff

Probably access denied or not a folder or not found. This is very common
for UNIX hacked Windows.
 
D

Dave Patrick

A different issue. While logged on as local administrator
Explorer|"folder"|File|Properties|Security|Advanced|Owner and take
ownership.

--
Regards,
Dave

-------------
Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| George:
|
| You're exactly right. I just can not do much of anything with the
folders.
| I was able to rename them, but I still couldn't delete them. If you have
| any ideas on how to delete them I am all ears....
|
| Harrison Midkiff
 
H

Harrison Midkiff

That was one of the first things I tried. It seems that there are hidden
folders down inside the hierarchy and I can not replicate my permissions
down. I tried xcacls which usually will force its permissions on just about
anything thing but it fails as well.

I have been looking for a method to just blow out the folder completely.
Any ideas?

Harrison Midkiff
 
D

Dave Patrick

Try copying XCACLS to the root FTP folder in question and run;

XCACLS *.* /t > D:\perms.txt

Then look in perms.txt

--
Regards,
Dave

-------------
Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| That was one of the first things I tried. It seems that there are hidden
| folders down inside the hierarchy and I can not replicate my permissions
| down. I tried xcacls which usually will force its permissions on just
about
| anything thing but it fails as well.
|
| I have been looking for a method to just blow out the folder completely.
| Any ideas?
|
| Harrison Midkiff
 
G

George Hester

Jason this issue is Folders with leading spaces. and other invalid characters for Win32. It's a common tactic for these hackers.
 
G

George Hester

Jason Tan gave you the links and I believe Dave gave you the actual command earlier. You have trailing spaces and this is your issue. Hence when you try to use Dave's command you must know exactly how the folder is written including the spaces and you enclose that all in "". I don't think 8.3 filenames will work here but you can try. But to make a long story short remove anonymous write to your system AND\OR remove ALL permissions to tftp.exe located in system32. Remember to install a Service Pack you will have to re-enable its permissions first. Small price to pay to avoid what you are dealing with.

--
George Hester
_________________________________
Harrison Midkiff said:
That was one of the first things I tried. It seems that there are hidden
folders down inside the hierarchy and I can not replicate my permissions
down. I tried xcacls which usually will force its permissions on just about
anything thing but it fails as well.

I have been looking for a method to just blow out the folder completely.
Any ideas?

Harrison Midkiff

Dave Patrick said:
A different issue. While logged on as local administrator
Explorer|"folder"|File|Properties|Security|Advanced|Owner and take
ownership.

--
Regards,
Dave

-------------
Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| George:
|
| You're exactly right. I just can not do much of anything with the
folders.
| I was able to rename them, but I still couldn't delete them. If you
have
| any ideas on how to delete them I am all ears....
|
| Harrison Midkiff
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

I was hacked and now I cannot delete the files. 2

Top