HELP - cannot remove files (placed by a hack!)

[Guest]

I need some real Windows 2000 AS help here

I discovered (much to my chagrin) that I've been hacked on two servers. The problem is someone got onto my system using anonymous login to FTP and placed a series of folders onto my system. These are very deep (multi-folders deep
and finally end in the folder 'jackass'. It appears someone is trying to use our corporate servers to distribute porn?

In any event, as system administrator, this is what I attempted to do to remove the folders/files... after shutting of
anonymous access to the FTP servers..
#1 - Tried to delete the folders/files. Won't let me
#2 - Went to security properties and changed 'Everyone' to read only on the folders and child objects
Added Administrator as owner of the folder and child object
Gave Administrator full control over the folder and child objects ... While trying to propogate these settings, I wa
informed that access was denied on the targets. Now I cannot even view them and cannot delete them
I did manage (in safe mode) to get one folder into the recycle bin, but it won't empty from the recycle bin

Here is what I need to know -
What tool or approach do I use to take absolute ownership of these offending folders and delete them completely from my system

Thanks in advance for any help you can provide.

 

[Rykel]

Tagged folders. Nice and common, unfortunately. By putting nonprintable
characters in the folder and file names, the true name isn't what gets
reported to the screen (cmdline or GUI) and so attempts to operate on them
fail. Sometimes, the Take ownership tool in the 2000 resource kit
(Takeown.exe) will force ownership on these varmints then XCACLS can force
new permissions, but the foolproof route is to revert to W2K's commandline
Posix commands, as that's what your hacker used to create the damn things:

http://securityadmin.info/faq.asp#ftpfolder and
http://support.microsoft.com/?kbid=120716

If that lot fails then there is a route using the Posix commands by manually
discovering the 8.3 names of each file and folder (dir /x) and using the rm
command with the full path in quotes and the 8.3 filename exactly as DIR
reports it (including any spaces) - can take ages as it won't run
recursively.

~D~

I need some real Windows 2000 AS help here.

I discovered (much to my chagrin) that I've been hacked on two servers.

..... <schnip>

 

[Guest]

Rykel -

Thanks much !!! I will check it out

----- Rykel wrote: ----

Tagged folders. Nice and common, unfortunately. By putting nonprintabl
characters in the folder and file names, the true name isn't what get
reported to the screen (cmdline or GUI) and so attempts to operate on the
fail. Sometimes, the Take ownership tool in the 2000 resource ki
(Takeown.exe) will force ownership on these varmints then XCACLS can forc
new permissions, but the foolproof route is to revert to W2K's commandlin
Posix commands, as that's what your hacker used to create the damn things

http://securityadmin.info/faq.asp#ftpfolder an
http://support.microsoft.com/?kbid=12071

If that lot fails then there is a route using the Posix commands by manuall
discovering the 8.3 names of each file and folder (dir /x) and using the r
command with the full path in quotes and the 8.3 filename exactly as DI
reports it (including any spaces) - can take ages as it won't ru
recursively

~D

I need some real Windows 2000 AS help here

..... <schnip>