Solved

WAREZ Demons Tagged my server.

Posted on 2001-06-07
17
164 Views
Last Modified: 2010-04-13
A warez individual has tagged an ftp directory and I can't remove the folder.  It basically will not let me take ownership and will not let me delete it.  Once the attack occurs I can shut that access out but can't delete the files.  PLEASE HELP!!!!!!!!

I see what you said but now it gives me an ACCESS IS DENIED message
0
Comment
Question by:cburns99
  • 5
  • 3
  • 2
  • +6
17 Comments
 
LVL 32

Expert Comment

by:jhance
ID: 6165158
Open a CMD window and go to the parent folder of the problem file or folder and type:

DIR /X

The /X option will show you the short file name for the bogus and hard to see filename the hacker has used.  You should be able to CD to that short name or RMDIR it if it is empty.  Usually this will be several levels deep and so you'll probably need to go all the way to the bottom and work your way back up.
0
 
LVL 7

Expert Comment

by:franka
ID: 6165204
listening...
0
 

Author Comment

by:cburns99
ID: 6165216
I did the dir/x and found the real name to be com1~1 but when I try to cd further it say ACCESS DENIED
0
 
LVL 32

Expert Comment

by:jhance
ID: 6165225
Then use the ATTRIB -S -R -A on the file name.
0
 

Author Comment

by:cburns99
ID: 6165242
It is not a file it is a directory.  And is that the proper syntax?  the directory is name com1~1
0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6165318
Very provbably the files are still open if you cannot do anything (including taking ownership). Or they start with a dot ".", which can make problems when deleting.

Try stopping yout FTP service and then delete the directory. After you succeeeded, restart the FTP service.
0
 

Author Comment

by:cburns99
ID: 6165379
Nope that didn't work either......AAAAAAAAHHHHHHHHHHHHH!!!!!!!!
0
 
LVL 32

Expert Comment

by:jhance
ID: 6165548
If the directory is named com1~1 then you can remove it with:

RMDIR COM1~1

BUT, and this is IMPORTANT, you must have emptied ALL of the files out of the folder and do this to all the folders below it.

So you probably need to do:

CD COM1~1

then type

DIR /X /A

and keep going DOWN THE HIERARCHY until you hit BOTTOM!!!

Then work your way BACK UP deleting FILES AND FOLDERS as you go.

There is really no way to set file or folder ownership or protections from the FTP server and all the files should be owned by the FTP server service account.  IF you're logged in as ADMINISTRATOR you should have full rights to delete.

You MUST (I repeat MUST) use the proper short file name.  Be 100% SURE you are using the correct name or the delete or remove will fail!!!
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 1

Expert Comment

by:bassque
ID: 6165882
There are many tricks that are used to lock directories so they cannot be accessed by any normal person nor can they be renamed.
Using spaces and special combinations or characters.

If you let me know if your ftp server is on an NT or Unix box and paste me the entire name of the directory they made I should be able to help.

Just a short note.
This will be very easy if you have a unix server, NT can be tricky.

But without knowing the specifics of these tricks it is almost impossible for anyone to figure this out.
;-)
0
 
LVL 1

Expert Comment

by:bwelkin
ID: 6166367
listening
0
 

Expert Comment

by:edsonkuboo
ID: 6808567
try to use rmdir com1~1 /S
0
 
LVL 5

Expert Comment

by:cempasha
ID: 7858958
Dear questionner/expert(s)

No comment has been added lately, so it's time to clean up this TA.
I'll leave a recommendation in the Cleanup topic area that this question is to be:

- PAQ'd and pts removed

Please leave any comments here within the next seven days.

==> PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER ! <==

PaSHa

Cleanup volunteer
0
 
LVL 32

Expert Comment

by:jhance
ID: 7863472
Strongly disagree.  

My comment is EXACTLY the solution here.  

I suggest FORCE ACCEPT to jhance.
0
 

Accepted Solution

by:
SpideyMod earned 0 total points
ID: 7924651
PAQ'd and points NOT refunded.  Several things may be preventing the deletion of this directory.  The RMDIR /S as proposed by edsonkuboo would be easier than jhance's comment, however it is lacking the /D operator which should accompany it to delete any subdirectories as well if they are present.  Still, we cannot be certain that rmdir will work at all in this circumstance.  For instance if a file anywhere in the directory tree is in use, it will fail.  For those skeptics, see the following copied from my personal test:
D:\Downloads\Temp>rmdir com1~1 /s
com1~1, Are you sure (Y/N)? y
com1~1\text.txt - The process cannot access the file because it is being used by
 another process.

Even with all that said, looking at the question, it appears as though the question text was changed some time later to reflect this text: "I see what you said but now it gives me an ACCESS IS DENIED message" which indicates to me there are still problems with the presented solutions.  Without knowing the exact environment and whether or not any of these suggestions worked, the best alternative is to PAQ the question and not refund the points

SpideyMod
Community Support Moderator @Experts Exchange
0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 7925707
SpideyMod, good to see that you are familiar with the topics you are cleaning up! Keep up the good work.

And for jhance, if the file/dir does not have an extension, your suggestion would not have worked. In this case, the techique described here would help:
http://support.microsoft.com/?kbid=120716

Anyways, doesn't matter anymore I guess... ;-)
0
 
LVL 32

Expert Comment

by:jhance
ID: 7925901
Clearly it doesn't matter to the person who asked and then abandoned this question.

0
 

Expert Comment

by:SpideyMod
ID: 7927456
jhance,
I know exactly what you are talking about.  I deal with it day in and day out and I get frustrated about it as well.  That would be why "they" gave us the authority to PAQ the question and not refund the points as I've done here so at least they cannot use those points to do it again.

AvonWyss,
Thanks for the kudos.  It doesn't always work out that I know the topics I am moderating, but I guess that's the nature of the beast.  It is the experts that work the real magic for this site!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now