Solved

WAREZ Demons Tagged my server.

Posted on 2001-06-07
17
169 Views
Last Modified: 2010-04-13
A warez individual has tagged an ftp directory and I can't remove the folder.  It basically will not let me take ownership and will not let me delete it.  Once the attack occurs I can shut that access out but can't delete the files.  PLEASE HELP!!!!!!!!

I see what you said but now it gives me an ACCESS IS DENIED message
0
Comment
Question by:cburns99
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +6
17 Comments
 
LVL 32

Expert Comment

by:jhance
ID: 6165158
Open a CMD window and go to the parent folder of the problem file or folder and type:

DIR /X

The /X option will show you the short file name for the bogus and hard to see filename the hacker has used.  You should be able to CD to that short name or RMDIR it if it is empty.  Usually this will be several levels deep and so you'll probably need to go all the way to the bottom and work your way back up.
0
 
LVL 7

Expert Comment

by:franka
ID: 6165204
listening...
0
 

Author Comment

by:cburns99
ID: 6165216
I did the dir/x and found the real name to be com1~1 but when I try to cd further it say ACCESS DENIED
0
Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

 
LVL 32

Expert Comment

by:jhance
ID: 6165225
Then use the ATTRIB -S -R -A on the file name.
0
 

Author Comment

by:cburns99
ID: 6165242
It is not a file it is a directory.  And is that the proper syntax?  the directory is name com1~1
0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6165318
Very provbably the files are still open if you cannot do anything (including taking ownership). Or they start with a dot ".", which can make problems when deleting.

Try stopping yout FTP service and then delete the directory. After you succeeeded, restart the FTP service.
0
 

Author Comment

by:cburns99
ID: 6165379
Nope that didn't work either......AAAAAAAAHHHHHHHHHHHHH!!!!!!!!
0
 
LVL 32

Expert Comment

by:jhance
ID: 6165548
If the directory is named com1~1 then you can remove it with:

RMDIR COM1~1

BUT, and this is IMPORTANT, you must have emptied ALL of the files out of the folder and do this to all the folders below it.

So you probably need to do:

CD COM1~1

then type

DIR /X /A

and keep going DOWN THE HIERARCHY until you hit BOTTOM!!!

Then work your way BACK UP deleting FILES AND FOLDERS as you go.

There is really no way to set file or folder ownership or protections from the FTP server and all the files should be owned by the FTP server service account.  IF you're logged in as ADMINISTRATOR you should have full rights to delete.

You MUST (I repeat MUST) use the proper short file name.  Be 100% SURE you are using the correct name or the delete or remove will fail!!!
0
 
LVL 1

Expert Comment

by:bassque
ID: 6165882
There are many tricks that are used to lock directories so they cannot be accessed by any normal person nor can they be renamed.
Using spaces and special combinations or characters.

If you let me know if your ftp server is on an NT or Unix box and paste me the entire name of the directory they made I should be able to help.

Just a short note.
This will be very easy if you have a unix server, NT can be tricky.

But without knowing the specifics of these tricks it is almost impossible for anyone to figure this out.
;-)
0
 
LVL 1

Expert Comment

by:bwelkin
ID: 6166367
listening
0
 

Expert Comment

by:edsonkuboo
ID: 6808567
try to use rmdir com1~1 /S
0
 
LVL 5

Expert Comment

by:cempasha
ID: 7858958
Dear questionner/expert(s)

No comment has been added lately, so it's time to clean up this TA.
I'll leave a recommendation in the Cleanup topic area that this question is to be:

- PAQ'd and pts removed

Please leave any comments here within the next seven days.

==> PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER ! <==

PaSHa

Cleanup volunteer
0
 
LVL 32

Expert Comment

by:jhance
ID: 7863472
Strongly disagree.  

My comment is EXACTLY the solution here.  

I suggest FORCE ACCEPT to jhance.
0
 

Accepted Solution

by:
SpideyMod earned 0 total points
ID: 7924651
PAQ'd and points NOT refunded.  Several things may be preventing the deletion of this directory.  The RMDIR /S as proposed by edsonkuboo would be easier than jhance's comment, however it is lacking the /D operator which should accompany it to delete any subdirectories as well if they are present.  Still, we cannot be certain that rmdir will work at all in this circumstance.  For instance if a file anywhere in the directory tree is in use, it will fail.  For those skeptics, see the following copied from my personal test:
D:\Downloads\Temp>rmdir com1~1 /s
com1~1, Are you sure (Y/N)? y
com1~1\text.txt - The process cannot access the file because it is being used by
 another process.

Even with all that said, looking at the question, it appears as though the question text was changed some time later to reflect this text: "I see what you said but now it gives me an ACCESS IS DENIED message" which indicates to me there are still problems with the presented solutions.  Without knowing the exact environment and whether or not any of these suggestions worked, the best alternative is to PAQ the question and not refund the points

SpideyMod
Community Support Moderator @Experts Exchange
0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 7925707
SpideyMod, good to see that you are familiar with the topics you are cleaning up! Keep up the good work.

And for jhance, if the file/dir does not have an extension, your suggestion would not have worked. In this case, the techique described here would help:
http://support.microsoft.com/?kbid=120716

Anyways, doesn't matter anymore I guess... ;-)
0
 
LVL 32

Expert Comment

by:jhance
ID: 7925901
Clearly it doesn't matter to the person who asked and then abandoned this question.

0
 

Expert Comment

by:SpideyMod
ID: 7927456
jhance,
I know exactly what you are talking about.  I deal with it day in and day out and I get frustrated about it as well.  That would be why "they" gave us the authority to PAQ the question and not refund the points as I've done here so at least they cannot use those points to do it again.

AvonWyss,
Thanks for the kudos.  It doesn't always work out that I know the topics I am moderating, but I guess that's the nature of the beast.  It is the experts that work the real magic for this site!
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Print Server: How to Create it? 1 777
Task scheduler to manage event fails 4 909
VBScript not processed at Windows 8.1 logon 2 8,061
schedule script execution in windows 2000 3 152
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
When using a search centre, I'm going to show you how to configure Sharepoint's search to only return results from the current site collection. Very useful when using Office 365 with multiple site collections.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question