Solved

hacked tagged ftp directory contains undeletable folders

Posted on 2001-07-18
25
415 Views
Last Modified: 2008-02-01
Hi,

Esoteric question for you.

I have an windows 2000 server box at home which I play around on.  It doesn't contain anything of particular value.

I have a ADSL connection and left open the FTP service to Write access.  Loads of hackers uploaded tons of stuff (!) games, cracks, hacks etc.  Weird - mad or what?  

NTFS partition.  SP2.  Win2K server.

Anyway they have managed to create a couple of folders that I cannot get rid of.  Also cannot find any reference to this kind of behaviour anywhere on the net.

The directories have been 'tagged'  eg.  some are called c:\inetpub\ftproot\    \ . tagged . \ stuff\game.zip

(note the spaces - or undeterminate whitespace)

None of the directory have any attribs or properties in explorer properties.

I cannot rename, delete, move or otherwise alter the top directory called  "     "  or any subdirectories.  I am greeted with "Error deleting file or folder: cannot read from the source file or disk" dialogue.

Also highlighting the "    ", copy and paste that into a dos box (with quotes) and CD "    " gets nowhere too.

Also there is a directory which is at the bottom which simply crashes explorer when it highlighted.  It is called aux.beagle.aux and has no spaces around it.

Clearly a reformat will do - but I am really more interested in what tricks they have pulled to create these directories.   Any what is more - what is beneath that final directory to which I have no access.  ;-)

Any thoughts.

bendecko




0
Comment
Question by:bendecko
  • 10
  • 5
  • 3
  • +4
25 Comments
 
LVL 44

Expert Comment

by:CrazyOne
ID: 6296523
They may have hacked your registry to prevent you from doing anything with it or there may be a process running that is monitoring the activities of these folders. Also these may be ghost directories that are actually sitting on a different machine altogether but is being shown like they are on your machine. This stuff fascinates me as well.

I am sure you have heard of Steve Gibson (a hacking guru). He has a site that is dedicated to investigating this kind of stuff I imagine he may be interested in knowing about this and probably can tell you what is happening. Here is his site and I believe he posts an email link.

http://grc.com/default.htm


The Crazy One
0
 
LVL 32

Expert Comment

by:jhance
ID: 6296557
This is a {bug : feature :} in Explorer where it won't let you delete files that are perfectly legal for the filesystem...

But there is a method:

Open a CMD window and CD to the start of this mess.  Then use the:

DIR /X

command to see the SHORT FILE NAMES or the offending files or folders.  

If it's just files, you can delete them with DEL and the short names.  Otherwise, continue CD'ing down the hierarchy using the short names until you reach the bottom and delete your way back up.
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 6296601
jhance
Would RMDIR work? What is the bug I haven't ran across it before? In other words why doesn't it allow any manipulation of the folder? Just curious. :>)
0
 
LVL 32

Expert Comment

by:jhance
ID: 6296612
Yes, RMDIR (or RM) works with the SHORT FILE name.  I've got the information written down on a note somewhere how to create these files.  If I can find it I'll post it here.  I think it's just control chars in the file names that fools Explorer.  The DOS short files names, however, always work fine.

The situation looks really bad and you think someone has done horrible things but it's really just Explorer not handling the filenames properly.  My opinion is that any filename that can be stored by the filesystem should be deleteable.
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 6296624
Is it the ole alt+255 trick?
0
 
LVL 32

Expert Comment

by:jhance
ID: 6296625
Something like that but it's a little different when done via FTP.  but you have the right idea...
0
 
LVL 32

Expert Comment

by:jhance
ID: 6298204
bendecko,

Any progress???
0
 
LVL 4

Expert Comment

by:andydis
ID: 6298973
ha know this one..... its the old
255 trick yes along with a few vulnerbilitys in win2k

my advice:-

GET sp2 NOW!!!!!!!!!!!!!!
or else they can take over what they want!
stop anon ftp access.......

use NTFSDOS to get rid of the unwanted folders.....
erm........

see what happens then (until the next vulnerbility)
0
 
LVL 4

Expert Comment

by:andydis
ID: 6299002
did i mention change ur passwords?
lol
0
 
LVL 32

Expert Comment

by:jhance
ID: 6299070
andydis,

It's probably not a password issue or a security breach.  This is most often just an exploit of an anonymous login to the FTP server.  Since it was permitted to start with, the user (in my opinion) didn't actually break in.

The way to stop this is:

1) Don't run FTP at all unless you need it.
2) Don't permit anonymous FTP sessions to WRITE.
3) Don't permit anonymous FTP sessions at all.
0
 
LVL 1

Author Comment

by:bendecko
ID: 6299149
Thanks guys.

ok - the dir /x parameter works for the first few directories down.

Then I get to a directory where the 'long name' is com2 and the dir /x output is blank   ?!

I cannot CD into nothing.  If I run  start . at this point I get an explorer window with a folder com2 in it.   and explorer allows me in.

In there is a folder called aux.beagle.aux and then explorer hangs.

What outher exploits could there be that cause the 8.3 name to be blank?

bendecko

ps what is the ALT 255 trick?
0
 
LVL 32

Expert Comment

by:jhance
ID: 6299209
bendecko,

Look closer.  I don't think it's blank.  The DIR /X will show you the short file name but it may have characters after the "." so the name might just be an extension.  

Don't try it use EXPLORER on this. It will fail...

I've also not seen this with COM2, which is a special name for a device.  If the DIR /X is really not giving you anything (and I've never seen this happen) you could also write a small app that would search the dir programatically and delete all the files.  Another approach is to go into this using the FTP client and use the DELE "goofy file name".  That also works sometimes.

Can you capture the output of your DIR /X for this folder and post it here?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 32

Expert Comment

by:jhance
ID: 6299248
0
 
LVL 1

Author Comment

by:bendecko
ID: 6299264
Thanks guys.

ok - the dir /x parameter works for the first few directories down.

Then I get to a directory where the 'long name' is com2 and the dir /x output is blank   ?!

I cannot CD into nothing.  If I run  start . at this point I get an explorer window with a folder com2 in it.   and explorer allows me in.

In there is a folder called aux.beagle.aux and then explorer hangs.

What outher exploits could there be that cause the 8.3 name to be blank?

bendecko

ps what is the ALT 255 trick?
0
 
LVL 32

Expert Comment

by:jhance
ID: 6299283
bendenko,

Don't click the REFRESH on your browser after posting a comment.  You get a duplicate!!!  Use the RELOAD QUESTION at the top of the page...
0
 
LVL 1

Author Comment

by:bendecko
ID: 6304872
OPS!

ok here's the output.  remember i can't 'CD' into it put via windows explorer I can see the folder aux.beagle.aux beneath it.  Clicking on aux.beagle.aux hangs explorer.

C:\Inetpub\ftproot\0303~1\FOR~1\DARKCI~1>dir
 Volume in drive C has no label.
 Volume Serial Number is 14FB-F168

 Directory of C:\Inetpub\ftproot\0303~1\FOR~1\DARKCI~1

18/04/2001  19:58       <DIR>          .
18/04/2001  19:58       <DIR>          ..
18/04/2001  19:58       <DIR>          com2
               0 File(s)              0 bytes
               3 Dir(s)  15,076,954,112 bytes free

C:\Inetpub\ftproot\0303~1\FOR~1\DARKCI~1>dir /x
 Volume in drive C has no label.
 Volume Serial Number is 14FB-F168

 Directory of C:\Inetpub\ftproot\0303~1\FOR~1\DARKCI~1

18/04/2001  19:58       <DIR>                          .
18/04/2001  19:58       <DIR>                          ..
18/04/2001  19:58       <DIR>                          com2
               0 File(s)              0 bytes
               3 Dir(s)  15,076,954,112 bytes free

C:\Inetpub\ftproot\0303~1\FOR~1\DARKCI~1>


thanks

bendecko
0
 
LVL 32

Accepted Solution

by:
jhance earned 200 total points
ID: 6304877
Again, please see:

http://support.microsoft.com/support/kb/articles/Q120/7/16.ASP

It tells how to deal with the COM2 file name....
0
 
LVL 1

Author Comment

by:bendecko
ID: 6332372
Brill.

Got a copy of the POSIX tools and rmdir'ed the little blighters to electronic nirvana.

Your comments most appreciated.

Thanks

Bendecko
0
 

Expert Comment

by:wreed
ID: 7380226
I just noticed this on my webserver, and I probably messed up with the FTP write stuff....I just have blank folders off the root of my webserver where the site is located....how do I get rid of them?  I dont understand this POSIX stuff.
0
 
LVL 1

Author Comment

by:bendecko
ID: 7381144
wreed,

this became a 'mission' for me to achieve.  i didn't get the POSIX stuff to begin with either; but i do believe there probably aren't many other ways of getting rid of them folder names.

bendecko
0
 

Expert Comment

by:wreed
ID: 7383031
bendecko,

I am just going to move some folders and reformat the partition....it was a mistake i found where I left write rights on for the anynomous (sp) account.  Noobie Admin error, I will learn from my mistakes.
0
 

Expert Comment

by:firstbyte
ID: 7398941
No need to reformat drive.  I responded to another thread in XP forum that I had my FTP server hacked too.  Thought it was Apple or Macintosh files because of files that were "stuffed" in some folders.  I did have whole or partial movie files uploaded too.  I had directories named com1,com2,and everything inbetween.  I had many nested folders with extended character set (see alt+numberpad discussion above) as well.  The key to solving the problem was using "deltree" utility found on Win95/98.  It works in NT4/2K/XP command window.  It did not like deleting subdirectories with extended characters and spaces.  I had to manually rename them by the "ren" command and encasing the directory name in quotes and using [alt]+numberpad to display characters ([alt]+127 is the little house, for instance).  After doing this for several layers of directories, I cd'd into one of the directories I renamed and used the deltree command like this: deltree bad_dir\*.*  

Important not to put /Y in front, didn't work when I did that.  I found I never had to do anything special to get rid of com1 and other reserved named files.  Then I removed the renamed directory with "rd".  I had to go many layers deep  for renaming, but didn'y have to go to the lowest folder.  Some of the directories with dots in front still got deleted by "deltree".

Hope this helps!

0
 

Expert Comment

by:wreed
ID: 7405883
I ended up just reformating the partition, no big deal, pulled all my files off, reformated then put them back on.
0
 

Expert Comment

by:tmdgod
ID: 8006406
We had a couple of servers that were left open to anonymous users with write permissions enabled for the ftp server. People took advantage of the open state of the IIS boxes and imediately started to fill the drives with gigs and gigs of data, ranging from .mp3s to full length ripped dvds.  The directory structure was confounding and it took me a few days of research to finally find an easy solution of deleting these files which could not be dealt with any conventional form of file removal. I tried everything - the deltree usage, the renaming, even the Microsoft solution did not work for me the way the presented it(suprize!).

After reading this thread (and several others) I had an Idea, tried it, and poof - all the files and directories are gone! No need for the tedious cd, ren, dir /x stuff that was so frustrating - and did not work.

Here's what I did:

Stopped the IIS services
Copied the APPS\POSIX directory from the Windows 2000 Resource Kit CD to the server
renamed c:\inetpub\ftproot to c:\inetpub\crap
moved the c:\inetpub\crap directory into the POSIX directory
Opened a command prompt and executed:
C:\POSIX\rm -r crap

POOF!!! In an instant (well, not really, it deleted over 30 Gb of data) everything was gone in that hideous directory!
0
 
LVL 32

Expert Comment

by:jhance
ID: 8007498
Yes, that's a valid and well documented solution.  The problem is that not everyone has the W2K RESKIT.  The above mentioned solutions do not require the RESKIT.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this article, I will show you HOW TO: Suppress Configuration Issues and Warnings Alert displayed in Summary status for ESXi 6.5 after enabling SSH or ESXi Shell.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now