Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 176
  • Last Modified:

WAREZ Demons Tagged my server.

A warez individual has tagged an ftp directory and I can't remove the folder.  It basically will not let me take ownership and will not let me delete it.  Once the attack occurs I can shut that access out but can't delete the files.  PLEASE HELP!!!!!!!!

I see what you said but now it gives me an ACCESS IS DENIED message
0
cburns99
Asked:
cburns99
  • 5
  • 3
  • 2
  • +6
1 Solution
 
jhanceCommented:
Open a CMD window and go to the parent folder of the problem file or folder and type:

DIR /X

The /X option will show you the short file name for the bogus and hard to see filename the hacker has used.  You should be able to CD to that short name or RMDIR it if it is empty.  Usually this will be several levels deep and so you'll probably need to go all the way to the bottom and work your way back up.
0
 
frankaCommented:
listening...
0
 
cburns99Author Commented:
I did the dir/x and found the real name to be com1~1 but when I try to cd further it say ACCESS DENIED
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
jhanceCommented:
Then use the ATTRIB -S -R -A on the file name.
0
 
cburns99Author Commented:
It is not a file it is a directory.  And is that the proper syntax?  the directory is name com1~1
0
 
AvonWyssCommented:
Very provbably the files are still open if you cannot do anything (including taking ownership). Or they start with a dot ".", which can make problems when deleting.

Try stopping yout FTP service and then delete the directory. After you succeeeded, restart the FTP service.
0
 
cburns99Author Commented:
Nope that didn't work either......AAAAAAAAHHHHHHHHHHHHH!!!!!!!!
0
 
jhanceCommented:
If the directory is named com1~1 then you can remove it with:

RMDIR COM1~1

BUT, and this is IMPORTANT, you must have emptied ALL of the files out of the folder and do this to all the folders below it.

So you probably need to do:

CD COM1~1

then type

DIR /X /A

and keep going DOWN THE HIERARCHY until you hit BOTTOM!!!

Then work your way BACK UP deleting FILES AND FOLDERS as you go.

There is really no way to set file or folder ownership or protections from the FTP server and all the files should be owned by the FTP server service account.  IF you're logged in as ADMINISTRATOR you should have full rights to delete.

You MUST (I repeat MUST) use the proper short file name.  Be 100% SURE you are using the correct name or the delete or remove will fail!!!
0
 
bassqueCommented:
There are many tricks that are used to lock directories so they cannot be accessed by any normal person nor can they be renamed.
Using spaces and special combinations or characters.

If you let me know if your ftp server is on an NT or Unix box and paste me the entire name of the directory they made I should be able to help.

Just a short note.
This will be very easy if you have a unix server, NT can be tricky.

But without knowing the specifics of these tricks it is almost impossible for anyone to figure this out.
;-)
0
 
bwelkinCommented:
listening
0
 
edsonkubooCommented:
try to use rmdir com1~1 /S
0
 
cempashaCommented:
Dear questionner/expert(s)

No comment has been added lately, so it's time to clean up this TA.
I'll leave a recommendation in the Cleanup topic area that this question is to be:

- PAQ'd and pts removed

Please leave any comments here within the next seven days.

==> PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER ! <==

PaSHa

Cleanup volunteer
0
 
jhanceCommented:
Strongly disagree.  

My comment is EXACTLY the solution here.  

I suggest FORCE ACCEPT to jhance.
0
 
SpideyModCommented:
PAQ'd and points NOT refunded.  Several things may be preventing the deletion of this directory.  The RMDIR /S as proposed by edsonkuboo would be easier than jhance's comment, however it is lacking the /D operator which should accompany it to delete any subdirectories as well if they are present.  Still, we cannot be certain that rmdir will work at all in this circumstance.  For instance if a file anywhere in the directory tree is in use, it will fail.  For those skeptics, see the following copied from my personal test:
D:\Downloads\Temp>rmdir com1~1 /s
com1~1, Are you sure (Y/N)? y
com1~1\text.txt - The process cannot access the file because it is being used by
 another process.

Even with all that said, looking at the question, it appears as though the question text was changed some time later to reflect this text: "I see what you said but now it gives me an ACCESS IS DENIED message" which indicates to me there are still problems with the presented solutions.  Without knowing the exact environment and whether or not any of these suggestions worked, the best alternative is to PAQ the question and not refund the points

SpideyMod
Community Support Moderator @Experts Exchange
0
 
AvonWyssCommented:
SpideyMod, good to see that you are familiar with the topics you are cleaning up! Keep up the good work.

And for jhance, if the file/dir does not have an extension, your suggestion would not have worked. In this case, the techique described here would help:
http://support.microsoft.com/?kbid=120716

Anyways, doesn't matter anymore I guess... ;-)
0
 
jhanceCommented:
Clearly it doesn't matter to the person who asked and then abandoned this question.

0
 
SpideyModCommented:
jhance,
I know exactly what you are talking about.  I deal with it day in and day out and I get frustrated about it as well.  That would be why "they" gave us the authority to PAQ the question and not refund the points as I've done here so at least they cannot use those points to do it again.

AvonWyss,
Thanks for the kudos.  It doesn't always work out that I know the topics I am moderating, but I guess that's the nature of the beast.  It is the experts that work the real magic for this site!
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 5
  • 3
  • 2
  • +6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now