Solved

Win2000 has been hacked ;-(

Posted on 2002-04-23
30
243 Views
Last Modified: 2012-05-04
My FTP directory has been filled up by an hacker, did stop everything but some directory are impossible to delete anybody has a way...

permission is denied for administrator on those directory some others are telling me that the name is invalid...

need help or I will reformat
0
Comment
Question by:dabellei
  • 11
  • 9
  • 9
  • +1
30 Comments
 
LVL 2

Author Comment

by:dabellei
Comment Utility
I want to delete my FTP directory completely
0
 
LVL 16

Expert Comment

by:GUEEN
Comment Utility
OK IIS w/ a trail of dirs that you can't delete.  
Well the safest way is to back up what you need and reformat.  If you can't do this try this:

http://lists.jammed.com/crime/2002/01/0005.html
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q120716

Are you sure that it was a hacker and not the code red worm????
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31878

0
 
LVL 16

Expert Comment

by:GUEEN
Comment Utility
First you need to 'take ownership' of the files then use regedt32 to give yourself back the rights.


0
 
LVL 16

Expert Comment

by:GUEEN
Comment Utility
If worse comes to worse - try ftping the system anonomously and see what you can do via that method.
0
 
LVL 16

Expert Comment

by:GUEEN
Comment Utility
Also go to this link and test your shields (see which ports are not safe):
http://grc.com/intro.htm

Also here: http://www.eeye.com/html/Research/Tools/index.html
and check for nimda

Which firewall are you running?  
0
 
LVL 16

Expert Comment

by:GUEEN
Comment Utility
Also if you do not have the Windows 2000 Server Resource Kit CD (if you do rm.exe is located in the apps\posix directory) download rm.exe here: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31878

You can use a commandline such as this to delete the entire ftp root:

posix /c c:\rm.exe -r "//C/Inetpub/ftproot

0
 
LVL 32

Expert Comment

by:jhance
Comment Utility
It's generally not as bad as it looks with FTP hacks.  These are just illegal file names that confuse Windows Explorer.  But the trusty old CMD shell and short-file-names come to the rescue.

1) Open a CMD.EXE window.
2) CD to the top of the mess.
3) Use: DIR /X /A   to see the SHORT FILE NAMES of the files and directories there.
4) Use a combination of CD, RD, and DEL and the SHORT FILES names reported with DIR /X to delete your way to the bottom and then back up the tree removing the files on the way down and the directories on the way up.
5) Most likely there is NOT a protection issue here so you shouldn't need worry about ownership or file protections.

6) If you don't what this to happen again, secure your FTP service or if you don't need it, open the Management Console and just STOP the FTP service.
0
 
LVL 2

Author Comment

by:dabellei
Comment Utility
can't find rm.exe can anybody send it to me?
0
 
LVL 32

Expert Comment

by:jhance
Comment Utility
rm is a unix utility but you DON'T need it here.  Just follow the steps I detailed above.  CMD has everything you need to clean this up.
0
 
LVL 2

Author Comment

by:dabellei
Comment Utility
well using a cmd windows does not work
0
 
LVL 16

Expert Comment

by:GUEEN
Comment Utility
Dabellei -
I provided you with a link above to download it:
: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31878
0
 
LVL 16

Expert Comment

by:GUEEN
Comment Utility
dabellei,
reading the links that I provided above will also be very helpful to you :)
0
 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
>>>well using a cmd windows does not work

Did you follow jhance's instructions on what to do? If so please tell us what happened and what you did.


The Crazy One
0
 
LVL 2

Author Comment

by:dabellei
Comment Utility
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31878
this link brings me to codered download? not RM.

I did follow the others links as well, most of them are telling to use rm...
0
 
LVL 2

Author Comment

by:dabellei
Comment Utility
WEll I got the short name one of them is com1~1 for the com1 dir when I delete it I did not got any error message but the dir was not removed
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 32

Expert Comment

by:jhance
Comment Utility
Yes, using a CMD window DOES work.  I've done this type of cleaup many times.  (And as much as I hate to admit it, once for myself.....)

IF you are having difficulty with it, please SPECIFY what the problem is.  What you have on your system is a bunch or "tagged" folders and ripped DVD movies stored on your system.  Any idiot can download the tools that do this and it just goes out and scans for vulnerable FTP servers.

It's a pain and a nuisance but it's not nearly as malicious as it seems.
0
 
LVL 32

Expert Comment

by:jhance
Comment Utility
You must DELETE EVERYTHING in and BELOW COM1~1 before you can delete it.  Like I said, delete files from top to bottom of the diretory hierarchy, and then delete the folders as you come back up.  It takes a few minutes but you'll be OK.
0
 
LVL 32

Expert Comment

by:jhance
Comment Utility
Look at this link:

http://phatdelux.host.sk/FTP.htm

This is the way these things are used.  Note the goofy way the paths are made...  It's intentionally that way to confuse the issue.
0
 
LVL 2

Author Comment

by:dabellei
Comment Utility
ok it is working for everything except some dir that have the name com1 and no short name....
0
 
LVL 32

Expert Comment

by:jhance
Comment Utility
Look closer, there is a SHORT NAME.  Remember that even folder can have file extensions.
0
 
LVL 32

Expert Comment

by:jhance
Comment Utility
If you can't see it, do a DIR /X /A and capture the output and post it here.
0
 
LVL 2

Author Comment

by:dabellei
Comment Utility
how can I post it here?
0
 
LVL 2

Author Comment

by:dabellei
Comment Utility
F:\InetPub\ftproot>dir /x/a
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot

2002-04-23  20:56       <DIR>                          .
2002-04-23  20:56       <DIR>                          ..
2002-04-23  20:54       <DIR>          020402~1        020402004133p
2002-04-13  09:41       <DIR>                          _bx
               0 File(s)              0 bytes
               4 Dir(s)   1 296 015 360 bytes free

F:\InetPub\ftproot>cd _bx

F:\InetPub\ftproot\_bx>dir
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx

2002-04-13  09:41       <DIR>          .
2002-04-13  09:41       <DIR>          ..
2002-03-27  11:16       <DIR>          01030139391
2002-03-27  11:16       <DIR>          013913913
2002-03-27  11:16       <DIR>          019391313
2002-03-27  11:17       <DIR>          024812321
2002-03-27  11:17       <DIR>          0312823192
2002-03-27  11:17       <DIR>          048129212
2002-03-27  11:17       <DIR>          0512381312
2002-04-13  09:42       <DIR>          0512381412
2002-03-27  11:17       <DIR>          061712812
2002-03-27  11:18       <DIR>          0813731312
2002-03-27  11:16       <DIR>          09130913013
               0 File(s)              0 bytes
              13 Dir(s)   1 296 015 360 bytes free

F:\InetPub\ftproot\_bx>dir /x/a
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx

2002-04-13  09:41       <DIR>                          .
2002-04-13  09:41       <DIR>                          ..
2002-03-27  11:16       <DIR>          010301~1        01030139391
2002-03-27  11:16       <DIR>          013913~1        013913913
2002-03-27  11:16       <DIR>          019391~1        019391313
2002-03-27  11:17       <DIR>          024812~1        024812321
2002-03-27  11:17       <DIR>          031282~1        0312823192
2002-03-27  11:17       <DIR>          048129~1        048129212
2002-03-27  11:17       <DIR>          051238~1        0512381312
2002-04-13  09:42       <DIR>          051238~2        0512381412
2002-03-27  11:17       <DIR>          061712~1        061712812
2002-03-27  11:18       <DIR>          081373~1        0813731312
2002-03-27  11:16       <DIR>          091309~1        09130913013
               0 File(s)              0 bytes
              13 Dir(s)   1 296 015 360 bytes free

F:\InetPub\ftproot\_bx>deltree
'deltree' is not recognized as an internal or external command,
operable program or batch file.

F:\InetPub\ftproot\_bx>cd 010301~1

F:\InetPub\ftproot\_bx\010301~1>dir
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx\010301~1

2002-03-27  11:16       <DIR>          .
2002-03-27  11:16       <DIR>          ..
               0 File(s)              0 bytes
               2 Dir(s)   1 296 015 360 bytes free

F:\InetPub\ftproot\_bx\010301~1>cd..

F:\InetPub\ftproot\_bx>rd 010301~1

F:\InetPub\ftproot\_bx>dir /x/a
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx

2002-04-23  20:57       <DIR>                          .
2002-04-23  20:57       <DIR>                          ..
2002-03-27  11:16       <DIR>          013913~1        013913913
2002-03-27  11:16       <DIR>          019391~1        019391313
2002-03-27  11:17       <DIR>          024812~1        024812321
2002-03-27  11:17       <DIR>          031282~1        0312823192
2002-03-27  11:17       <DIR>          048129~1        048129212
2002-03-27  11:17       <DIR>          051238~1        0512381312
2002-04-13  09:42       <DIR>          051238~2        0512381412
2002-03-27  11:17       <DIR>          061712~1        061712812
2002-03-27  11:18       <DIR>          081373~1        0813731312
2002-03-27  11:16       <DIR>          091309~1        09130913013
               0 File(s)              0 bytes
              12 Dir(s)   1 296 015 360 bytes free

F:\InetPub\ftproot\_bx>rd 013913~1

F:\InetPub\ftproot\_bx>rd 019391~1

F:\InetPub\ftproot\_bx>rd 024812~1

F:\InetPub\ftproot\_bx>rd 031282~1

F:\InetPub\ftproot\_bx>dir /x/a
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx

2002-04-23  20:58       <DIR>                          .
2002-04-23  20:58       <DIR>                          ..
2002-03-27  11:17       <DIR>          048129~1        048129212
2002-03-27  11:17       <DIR>          051238~1        0512381312
2002-04-13  09:42       <DIR>          051238~2        0512381412
2002-03-27  11:17       <DIR>          061712~1        061712812
2002-03-27  11:18       <DIR>          081373~1        0813731312
2002-03-27  11:16       <DIR>          091309~1        09130913013
               0 File(s)              0 bytes
               8 Dir(s)   1 294 991 360 bytes free

F:\InetPub\ftproot\_bx>rd 048129~1

F:\InetPub\ftproot\_bx>rd 051238~1

F:\InetPub\ftproot\_bx>rd 051238~2
The directory is not empty.

F:\InetPub\ftproot\_bx>rd 061712~1

F:\InetPub\ftproot\_bx>rd 081373~1
The directory is not empty.

F:\InetPub\ftproot\_bx>rd 091309~1

F:\InetPub\ftproot\_bx>dir /x/a
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx

2002-04-23  20:59       <DIR>                          .
2002-04-23  20:59       <DIR>                          ..
2002-04-13  09:42       <DIR>          051238~2        0512381412
2002-03-27  11:18       <DIR>          081373~1        0813731312
               0 File(s)              0 bytes
               4 Dir(s)   1 294 991 360 bytes free

F:\InetPub\ftproot\_bx>cd 051238~2

F:\InetPub\ftproot\_bx\051238~2>dir
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx\051238~2

2002-04-13  09:42       <DIR>          .
2002-04-13  09:42       <DIR>          ..
2002-04-13  09:42       <DIR>          ~tmp
               0 File(s)              0 bytes
               3 Dir(s)   1 294 991 360 bytes free

F:\InetPub\ftproot\_bx\051238~2>dir /x/a
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx\051238~2

2002-04-13  09:42       <DIR>                          .
2002-04-13  09:42       <DIR>                          ..
2002-04-13  09:42       <DIR>                          ~tmp
               0 File(s)              0 bytes
               3 Dir(s)   1 294 991 360 bytes free

F:\InetPub\ftproot\_bx\051238~2>rd ~tmp
The directory is not empty.

F:\InetPub\ftproot\_bx\051238~2>cd ~tmp

F:\InetPub\ftproot\_bx\051238~2\~tmp>dir
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx\051238~2\~tmp

2002-04-13  09:42       <DIR>          .
2002-04-13  09:42       <DIR>          ..
2002-04-23  19:09       <DIR>          ~    .Tagged
               0 File(s)              0 bytes
               3 Dir(s)   1 294 991 360 bytes free

F:\InetPub\ftproot\_bx\051238~2\~tmp>dir /x/a
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx\051238~2\~tmp

2002-04-13  09:42       <DIR>                          .
2002-04-13  09:42       <DIR>                          ..
2002-04-23  19:09       <DIR>          ~8283~1.TAG     ~    .Tagged
               0 File(s)              0 bytes
               3 Dir(s)   1 294 991 360 bytes free

F:\InetPub\ftproot\_bx\051238~2\~tmp>rd ~8283~1.tag
The directory is not empty.

F:\InetPub\ftproot\_bx\051238~2\~tmp>cd ~8283~1.tag

F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG>dir
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG

2002-04-23  19:09       <DIR>          .
2002-04-23  19:09       <DIR>          ..
2002-04-13  09:42       <DIR>          ~by Bricole
               0 File(s)              0 bytes
               3 Dir(s)   1 294 991 360 bytes free

F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG>dir /x/a
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG

2002-04-23  19:09       <DIR>                          .
2002-04-23  19:09       <DIR>                          ..
2002-04-13  09:42       <DIR>          ~BYBRI~1        ~by Bricole
               0 File(s)              0 bytes
               3 Dir(s)   1 294 991 360 bytes free

F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG>cd ~bybri~1

F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG\~BYBRI~1>dir
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG\~BYBRI~1

2002-04-13  09:42       <DIR>          .
2002-04-13  09:42       <DIR>          ..
2002-04-23  19:09       <DIR>          com4
               0 File(s)              0 bytes
               3 Dir(s)   1 294 991 360 bytes free

F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG\~BYBRI~1>dir /x/a
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG\~BYBRI~1

2002-04-13  09:42       <DIR>                          .
2002-04-13  09:42       <DIR>                          ..
2002-04-23  19:09       <DIR>                          com4
               0 File(s)              0 bytes
               3 Dir(s)   1 294 991 360 bytes free

F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG\~BYBRI~1>dir /x/a
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG\~BYBRI~1

2002-04-13  09:42       <DIR>                          .
2002-04-13  09:42       <DIR>                          ..
2002-04-23  19:09       <DIR>                          com4
               0 File(s)              0 bytes
               3 Dir(s)   1 294 991 360 bytes free

F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG\~BYBRI~1>dir /x/a
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG\~BYBRI~1

2002-04-13  09:42       <DIR>                          .
2002-04-13  09:42       <DIR>                          ..
2002-04-23  19:09       <DIR>                          com4
               0 File(s)              0 bytes
               3 Dir(s)   1 294 991 360 bytes free

F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG\~BYBRI~1>dir /x/a
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG\~BYBRI~1

2002-04-13  09:42       <DIR>                          .
2002-04-13  09:42       <DIR>                          ..
2002-04-23  19:09       <DIR>                          com4
               0 File(s)              0 bytes
               3 Dir(s)   1 294 991 360 bytes free

F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG\~BYBRI~1>
0
 
LVL 32

Expert Comment

by:jhance
Comment Utility
OK, with the COM4 files or folders see:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q120716
0
 
LVL 32

Expert Comment

by:jhance
Comment Utility
The last part of the article is what you want:


Another option is to use a syntax that bypasses the normal reserve-word checks altogether. For example, you can possibly delete any file with a command such as:
DEL \\.\ driveletter :\ path \ filename
For example:

DEL \\.\c:\somedir\aux

So you should be able to do:

CD \\.\F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG\~BYBRI~1\COM4

to get into it and:

RMDIR \\.\F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG\~BYBRI~1\COM4

to delete the folder once it's empty.
0
 
LVL 16

Expert Comment

by:GUEEN
Comment Utility
Thankx jhance for posting my link in your last post!
dabellei - here is rm.exe:
http://www.naturalpondsandlandscapes.com/paq/RM.zip
0
 
LVL 32

Accepted Solution

by:
jhance earned 400 total points
Comment Utility
Sorry, not intending to step on any toes.

BTW, you should not need to download rm.exe.  It's included with W2K.

But you don't need it anyway.
0
 
LVL 2

Author Comment

by:dabellei
Comment Utility
Thnaks for your help guys it did work and everything is clean.

shekerra  I will post another question for you to answer and give you points as well, thanks to you guy.
0
 
LVL 32

Expert Comment

by:jhance
Comment Utility
Glad to help.  Be sure you close the holes that were used to get into this.  It's generally just anonymouse FTP with WRITE permissions in the directories.  If you want to have FTP make it read only for anonymous.
0
 
LVL 16

Expert Comment

by:GUEEN
Comment Utility
Also be sure to check your ports at http://grc.com/intro.htm
and yes jhance you are welcome.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
A procedure for exporting installed hotfix details of remote computers using powershell
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now