bendecko
asked on
hacked tagged ftp directory contains undeletable folders
Hi,
Esoteric question for you.
I have an windows 2000 server box at home which I play around on. It doesn't contain anything of particular value.
I have a ADSL connection and left open the FTP service to Write access. Loads of hackers uploaded tons of stuff (!) games, cracks, hacks etc. Weird - mad or what?
NTFS partition. SP2. Win2K server.
Anyway they have managed to create a couple of folders that I cannot get rid of. Also cannot find any reference to this kind of behaviour anywhere on the net.
The directories have been 'tagged' eg. some are called c:\inetpub\ftproot\ \ . tagged . \ stuff\game.zip
(note the spaces - or undeterminate whitespace)
None of the directory have any attribs or properties in explorer properties.
I cannot rename, delete, move or otherwise alter the top directory called " " or any subdirectories. I am greeted with "Error deleting file or folder: cannot read from the source file or disk" dialogue.
Also highlighting the " ", copy and paste that into a dos box (with quotes) and CD " " gets nowhere too.
Also there is a directory which is at the bottom which simply crashes explorer when it highlighted. It is called aux.beagle.aux and has no spaces around it.
Clearly a reformat will do - but I am really more interested in what tricks they have pulled to create these directories. Any what is more - what is beneath that final directory to which I have no access. ;-)
Any thoughts.
bendecko
Esoteric question for you.
I have an windows 2000 server box at home which I play around on. It doesn't contain anything of particular value.
I have a ADSL connection and left open the FTP service to Write access. Loads of hackers uploaded tons of stuff (!) games, cracks, hacks etc. Weird - mad or what?
NTFS partition. SP2. Win2K server.
Anyway they have managed to create a couple of folders that I cannot get rid of. Also cannot find any reference to this kind of behaviour anywhere on the net.
The directories have been 'tagged' eg. some are called c:\inetpub\ftproot\ \ . tagged . \ stuff\game.zip
(note the spaces - or undeterminate whitespace)
None of the directory have any attribs or properties in explorer properties.
I cannot rename, delete, move or otherwise alter the top directory called " " or any subdirectories. I am greeted with "Error deleting file or folder: cannot read from the source file or disk" dialogue.
Also highlighting the " ", copy and paste that into a dos box (with quotes) and CD " " gets nowhere too.
Also there is a directory which is at the bottom which simply crashes explorer when it highlighted. It is called aux.beagle.aux and has no spaces around it.
Clearly a reformat will do - but I am really more interested in what tricks they have pulled to create these directories. Any what is more - what is beneath that final directory to which I have no access. ;-)
Any thoughts.
bendecko
This is a {bug : feature :} in Explorer where it won't let you delete files that are perfectly legal for the filesystem...
But there is a method:
Open a CMD window and CD to the start of this mess. Then use the:
DIR /X
command to see the SHORT FILE NAMES or the offending files or folders.
If it's just files, you can delete them with DEL and the short names. Otherwise, continue CD'ing down the hierarchy using the short names until you reach the bottom and delete your way back up.
But there is a method:
Open a CMD window and CD to the start of this mess. Then use the:
DIR /X
command to see the SHORT FILE NAMES or the offending files or folders.
If it's just files, you can delete them with DEL and the short names. Otherwise, continue CD'ing down the hierarchy using the short names until you reach the bottom and delete your way back up.
jhance
Would RMDIR work? What is the bug I haven't ran across it before? In other words why doesn't it allow any manipulation of the folder? Just curious. :>)
Would RMDIR work? What is the bug I haven't ran across it before? In other words why doesn't it allow any manipulation of the folder? Just curious. :>)
Yes, RMDIR (or RM) works with the SHORT FILE name. I've got the information written down on a note somewhere how to create these files. If I can find it I'll post it here. I think it's just control chars in the file names that fools Explorer. The DOS short files names, however, always work fine.
The situation looks really bad and you think someone has done horrible things but it's really just Explorer not handling the filenames properly. My opinion is that any filename that can be stored by the filesystem should be deleteable.
The situation looks really bad and you think someone has done horrible things but it's really just Explorer not handling the filenames properly. My opinion is that any filename that can be stored by the filesystem should be deleteable.
Is it the ole alt+255 trick?
Something like that but it's a little different when done via FTP. but you have the right idea...
bendecko,
Any progress???
Any progress???
ha know this one..... its the old
255 trick yes along with a few vulnerbilitys in win2k
my advice:-
GET sp2 NOW!!!!!!!!!!!!!!
or else they can take over what they want!
stop anon ftp access.......
use NTFSDOS to get rid of the unwanted folders.....
erm........
see what happens then (until the next vulnerbility)
255 trick yes along with a few vulnerbilitys in win2k
my advice:-
GET sp2 NOW!!!!!!!!!!!!!!
or else they can take over what they want!
stop anon ftp access.......
use NTFSDOS to get rid of the unwanted folders.....
erm........
see what happens then (until the next vulnerbility)
did i mention change ur passwords?
lol
lol
andydis,
It's probably not a password issue or a security breach. This is most often just an exploit of an anonymous login to the FTP server. Since it was permitted to start with, the user (in my opinion) didn't actually break in.
The way to stop this is:
1) Don't run FTP at all unless you need it.
2) Don't permit anonymous FTP sessions to WRITE.
3) Don't permit anonymous FTP sessions at all.
It's probably not a password issue or a security breach. This is most often just an exploit of an anonymous login to the FTP server. Since it was permitted to start with, the user (in my opinion) didn't actually break in.
The way to stop this is:
1) Don't run FTP at all unless you need it.
2) Don't permit anonymous FTP sessions to WRITE.
3) Don't permit anonymous FTP sessions at all.
ASKER
Thanks guys.
ok - the dir /x parameter works for the first few directories down.
Then I get to a directory where the 'long name' is com2 and the dir /x output is blank ?!
I cannot CD into nothing. If I run start . at this point I get an explorer window with a folder com2 in it. and explorer allows me in.
In there is a folder called aux.beagle.aux and then explorer hangs.
What outher exploits could there be that cause the 8.3 name to be blank?
bendecko
ps what is the ALT 255 trick?
ok - the dir /x parameter works for the first few directories down.
Then I get to a directory where the 'long name' is com2 and the dir /x output is blank ?!
I cannot CD into nothing. If I run start . at this point I get an explorer window with a folder com2 in it. and explorer allows me in.
In there is a folder called aux.beagle.aux and then explorer hangs.
What outher exploits could there be that cause the 8.3 name to be blank?
bendecko
ps what is the ALT 255 trick?
bendecko,
Look closer. I don't think it's blank. The DIR /X will show you the short file name but it may have characters after the "." so the name might just be an extension.
Don't try it use EXPLORER on this. It will fail...
I've also not seen this with COM2, which is a special name for a device. If the DIR /X is really not giving you anything (and I've never seen this happen) you could also write a small app that would search the dir programatically and delete all the files. Another approach is to go into this using the FTP client and use the DELE "goofy file name". That also works sometimes.
Can you capture the output of your DIR /X for this folder and post it here?
Look closer. I don't think it's blank. The DIR /X will show you the short file name but it may have characters after the "." so the name might just be an extension.
Don't try it use EXPLORER on this. It will fail...
I've also not seen this with COM2, which is a special name for a device. If the DIR /X is really not giving you anything (and I've never seen this happen) you could also write a small app that would search the dir programatically and delete all the files. Another approach is to go into this using the FTP client and use the DELE "goofy file name". That also works sometimes.
Can you capture the output of your DIR /X for this folder and post it here?
ASKER
Thanks guys.
ok - the dir /x parameter works for the first few directories down.
Then I get to a directory where the 'long name' is com2 and the dir /x output is blank ?!
I cannot CD into nothing. If I run start . at this point I get an explorer window with a folder com2 in it. and explorer allows me in.
In there is a folder called aux.beagle.aux and then explorer hangs.
What outher exploits could there be that cause the 8.3 name to be blank?
bendecko
ps what is the ALT 255 trick?
ok - the dir /x parameter works for the first few directories down.
Then I get to a directory where the 'long name' is com2 and the dir /x output is blank ?!
I cannot CD into nothing. If I run start . at this point I get an explorer window with a folder com2 in it. and explorer allows me in.
In there is a folder called aux.beagle.aux and then explorer hangs.
What outher exploits could there be that cause the 8.3 name to be blank?
bendecko
ps what is the ALT 255 trick?
bendenko,
Don't click the REFRESH on your browser after posting a comment. You get a duplicate!!! Use the RELOAD QUESTION at the top of the page...
Don't click the REFRESH on your browser after posting a comment. You get a duplicate!!! Use the RELOAD QUESTION at the top of the page...
ASKER
OPS!
ok here's the output. remember i can't 'CD' into it put via windows explorer I can see the folder aux.beagle.aux beneath it. Clicking on aux.beagle.aux hangs explorer.
C:\Inetpub\ftproot\0303~1\
Volume in drive C has no label.
Volume Serial Number is 14FB-F168
Directory of C:\Inetpub\ftproot\0303~1\
18/04/2001 19:58 <DIR> .
18/04/2001 19:58 <DIR> ..
18/04/2001 19:58 <DIR> com2
0 File(s) 0 bytes
3 Dir(s) 15,076,954,112 bytes free
C:\Inetpub\ftproot\0303~1\
Volume in drive C has no label.
Volume Serial Number is 14FB-F168
Directory of C:\Inetpub\ftproot\0303~1\
18/04/2001 19:58 <DIR> .
18/04/2001 19:58 <DIR> ..
18/04/2001 19:58 <DIR> com2
0 File(s) 0 bytes
3 Dir(s) 15,076,954,112 bytes free
C:\Inetpub\ftproot\0303~1\
thanks
bendecko
ok here's the output. remember i can't 'CD' into it put via windows explorer I can see the folder aux.beagle.aux beneath it. Clicking on aux.beagle.aux hangs explorer.
C:\Inetpub\ftproot\0303~1\
Volume in drive C has no label.
Volume Serial Number is 14FB-F168
Directory of C:\Inetpub\ftproot\0303~1\
18/04/2001 19:58 <DIR> .
18/04/2001 19:58 <DIR> ..
18/04/2001 19:58 <DIR> com2
0 File(s) 0 bytes
3 Dir(s) 15,076,954,112 bytes free
C:\Inetpub\ftproot\0303~1\
Volume in drive C has no label.
Volume Serial Number is 14FB-F168
Directory of C:\Inetpub\ftproot\0303~1\
18/04/2001 19:58 <DIR> .
18/04/2001 19:58 <DIR> ..
18/04/2001 19:58 <DIR> com2
0 File(s) 0 bytes
3 Dir(s) 15,076,954,112 bytes free
C:\Inetpub\ftproot\0303~1\
thanks
bendecko
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Brill.
Got a copy of the POSIX tools and rmdir'ed the little blighters to electronic nirvana.
Your comments most appreciated.
Thanks
Bendecko
Got a copy of the POSIX tools and rmdir'ed the little blighters to electronic nirvana.
Your comments most appreciated.
Thanks
Bendecko
I just noticed this on my webserver, and I probably messed up with the FTP write stuff....I just have blank folders off the root of my webserver where the site is located....how do I get rid of them? I dont understand this POSIX stuff.
ASKER
wreed,
this became a 'mission' for me to achieve. i didn't get the POSIX stuff to begin with either; but i do believe there probably aren't many other ways of getting rid of them folder names.
bendecko
this became a 'mission' for me to achieve. i didn't get the POSIX stuff to begin with either; but i do believe there probably aren't many other ways of getting rid of them folder names.
bendecko
bendecko,
I am just going to move some folders and reformat the partition....it was a mistake i found where I left write rights on for the anynomous (sp) account. Noobie Admin error, I will learn from my mistakes.
I am just going to move some folders and reformat the partition....it was a mistake i found where I left write rights on for the anynomous (sp) account. Noobie Admin error, I will learn from my mistakes.
No need to reformat drive. I responded to another thread in XP forum that I had my FTP server hacked too. Thought it was Apple or Macintosh files because of files that were "stuffed" in some folders. I did have whole or partial movie files uploaded too. I had directories named com1,com2,and everything inbetween. I had many nested folders with extended character set (see alt+numberpad discussion above) as well. The key to solving the problem was using "deltree" utility found on Win95/98. It works in NT4/2K/XP command window. It did not like deleting subdirectories with extended characters and spaces. I had to manually rename them by the "ren" command and encasing the directory name in quotes and using [alt]+numberpad to display characters ([alt]+127 is the little house, for instance). After doing this for several layers of directories, I cd'd into one of the directories I renamed and used the deltree command like this: deltree bad_dir\*.*
Important not to put /Y in front, didn't work when I did that. I found I never had to do anything special to get rid of com1 and other reserved named files. Then I removed the renamed directory with "rd". I had to go many layers deep for renaming, but didn'y have to go to the lowest folder. Some of the directories with dots in front still got deleted by "deltree".
Hope this helps!
Important not to put /Y in front, didn't work when I did that. I found I never had to do anything special to get rid of com1 and other reserved named files. Then I removed the renamed directory with "rd". I had to go many layers deep for renaming, but didn'y have to go to the lowest folder. Some of the directories with dots in front still got deleted by "deltree".
Hope this helps!
I ended up just reformating the partition, no big deal, pulled all my files off, reformated then put them back on.
We had a couple of servers that were left open to anonymous users with write permissions enabled for the ftp server. People took advantage of the open state of the IIS boxes and imediately started to fill the drives with gigs and gigs of data, ranging from .mp3s to full length ripped dvds. The directory structure was confounding and it took me a few days of research to finally find an easy solution of deleting these files which could not be dealt with any conventional form of file removal. I tried everything - the deltree usage, the renaming, even the Microsoft solution did not work for me the way the presented it(suprize!).
After reading this thread (and several others) I had an Idea, tried it, and poof - all the files and directories are gone! No need for the tedious cd, ren, dir /x stuff that was so frustrating - and did not work.
Here's what I did:
Stopped the IIS services
Copied the APPS\POSIX directory from the Windows 2000 Resource Kit CD to the server
renamed c:\inetpub\ftproot to c:\inetpub\crap
moved the c:\inetpub\crap directory into the POSIX directory
Opened a command prompt and executed:
C:\POSIX\rm -r crap
POOF!!! In an instant (well, not really, it deleted over 30 Gb of data) everything was gone in that hideous directory!
After reading this thread (and several others) I had an Idea, tried it, and poof - all the files and directories are gone! No need for the tedious cd, ren, dir /x stuff that was so frustrating - and did not work.
Here's what I did:
Stopped the IIS services
Copied the APPS\POSIX directory from the Windows 2000 Resource Kit CD to the server
renamed c:\inetpub\ftproot to c:\inetpub\crap
moved the c:\inetpub\crap directory into the POSIX directory
Opened a command prompt and executed:
C:\POSIX\rm -r crap
POOF!!! In an instant (well, not really, it deleted over 30 Gb of data) everything was gone in that hideous directory!
Yes, that's a valid and well documented solution. The problem is that not everyone has the W2K RESKIT. The above mentioned solutions do not require the RESKIT.
I am sure you have heard of Steve Gibson (a hacking guru). He has a site that is dedicated to investigating this kind of stuff I imagine he may be interested in knowing about this and probably can tell you what is happening. Here is his site and I believe he posts an email link.
http://grc.com/default.htm
The Crazy One