Solved

WAREZ Demons Tagged my server.

Posted on 2001-06-07
17
170 Views
Last Modified: 2010-04-13
A warez individual has tagged an ftp directory and I can't remove the folder.  It basically will not let me take ownership and will not let me delete it.  Once the attack occurs I can shut that access out but can't delete the files.  PLEASE HELP!!!!!!!!

I see what you said but now it gives me an ACCESS IS DENIED message
0
Comment
Question by:cburns99
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +6
17 Comments
 
LVL 32

Expert Comment

by:jhance
ID: 6165158
Open a CMD window and go to the parent folder of the problem file or folder and type:

DIR /X

The /X option will show you the short file name for the bogus and hard to see filename the hacker has used.  You should be able to CD to that short name or RMDIR it if it is empty.  Usually this will be several levels deep and so you'll probably need to go all the way to the bottom and work your way back up.
0
 
LVL 7

Expert Comment

by:franka
ID: 6165204
listening...
0
 

Author Comment

by:cburns99
ID: 6165216
I did the dir/x and found the real name to be com1~1 but when I try to cd further it say ACCESS DENIED
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 32

Expert Comment

by:jhance
ID: 6165225
Then use the ATTRIB -S -R -A on the file name.
0
 

Author Comment

by:cburns99
ID: 6165242
It is not a file it is a directory.  And is that the proper syntax?  the directory is name com1~1
0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6165318
Very provbably the files are still open if you cannot do anything (including taking ownership). Or they start with a dot ".", which can make problems when deleting.

Try stopping yout FTP service and then delete the directory. After you succeeeded, restart the FTP service.
0
 

Author Comment

by:cburns99
ID: 6165379
Nope that didn't work either......AAAAAAAAHHHHHHHHHHHHH!!!!!!!!
0
 
LVL 32

Expert Comment

by:jhance
ID: 6165548
If the directory is named com1~1 then you can remove it with:

RMDIR COM1~1

BUT, and this is IMPORTANT, you must have emptied ALL of the files out of the folder and do this to all the folders below it.

So you probably need to do:

CD COM1~1

then type

DIR /X /A

and keep going DOWN THE HIERARCHY until you hit BOTTOM!!!

Then work your way BACK UP deleting FILES AND FOLDERS as you go.

There is really no way to set file or folder ownership or protections from the FTP server and all the files should be owned by the FTP server service account.  IF you're logged in as ADMINISTRATOR you should have full rights to delete.

You MUST (I repeat MUST) use the proper short file name.  Be 100% SURE you are using the correct name or the delete or remove will fail!!!
0
 
LVL 1

Expert Comment

by:bassque
ID: 6165882
There are many tricks that are used to lock directories so they cannot be accessed by any normal person nor can they be renamed.
Using spaces and special combinations or characters.

If you let me know if your ftp server is on an NT or Unix box and paste me the entire name of the directory they made I should be able to help.

Just a short note.
This will be very easy if you have a unix server, NT can be tricky.

But without knowing the specifics of these tricks it is almost impossible for anyone to figure this out.
;-)
0
 
LVL 1

Expert Comment

by:bwelkin
ID: 6166367
listening
0
 

Expert Comment

by:edsonkuboo
ID: 6808567
try to use rmdir com1~1 /S
0
 
LVL 5

Expert Comment

by:cempasha
ID: 7858958
Dear questionner/expert(s)

No comment has been added lately, so it's time to clean up this TA.
I'll leave a recommendation in the Cleanup topic area that this question is to be:

- PAQ'd and pts removed

Please leave any comments here within the next seven days.

==> PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER ! <==

PaSHa

Cleanup volunteer
0
 
LVL 32

Expert Comment

by:jhance
ID: 7863472
Strongly disagree.  

My comment is EXACTLY the solution here.  

I suggest FORCE ACCEPT to jhance.
0
 

Accepted Solution

by:
SpideyMod earned 0 total points
ID: 7924651
PAQ'd and points NOT refunded.  Several things may be preventing the deletion of this directory.  The RMDIR /S as proposed by edsonkuboo would be easier than jhance's comment, however it is lacking the /D operator which should accompany it to delete any subdirectories as well if they are present.  Still, we cannot be certain that rmdir will work at all in this circumstance.  For instance if a file anywhere in the directory tree is in use, it will fail.  For those skeptics, see the following copied from my personal test:
D:\Downloads\Temp>rmdir com1~1 /s
com1~1, Are you sure (Y/N)? y
com1~1\text.txt - The process cannot access the file because it is being used by
 another process.

Even with all that said, looking at the question, it appears as though the question text was changed some time later to reflect this text: "I see what you said but now it gives me an ACCESS IS DENIED message" which indicates to me there are still problems with the presented solutions.  Without knowing the exact environment and whether or not any of these suggestions worked, the best alternative is to PAQ the question and not refund the points

SpideyMod
Community Support Moderator @Experts Exchange
0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 7925707
SpideyMod, good to see that you are familiar with the topics you are cleaning up! Keep up the good work.

And for jhance, if the file/dir does not have an extension, your suggestion would not have worked. In this case, the techique described here would help:
http://support.microsoft.com/?kbid=120716

Anyways, doesn't matter anymore I guess... ;-)
0
 
LVL 32

Expert Comment

by:jhance
ID: 7925901
Clearly it doesn't matter to the person who asked and then abandoned this question.

0
 

Expert Comment

by:SpideyMod
ID: 7927456
jhance,
I know exactly what you are talking about.  I deal with it day in and day out and I get frustrated about it as well.  That would be why "they" gave us the authority to PAQ the question and not refund the points as I've done here so at least they cannot use those points to do it again.

AvonWyss,
Thanks for the kudos.  It doesn't always work out that I know the topics I am moderating, but I guess that's the nature of the beast.  It is the experts that work the real magic for this site!
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question