?
Solved

Win2000 has been hacked ;-(

Posted on 2002-04-23
30
Medium Priority
?
252 Views
Last Modified: 2012-05-04
My FTP directory has been filled up by an hacker, did stop everything but some directory are impossible to delete anybody has a way...

permission is denied for administrator on those directory some others are telling me that the name is invalid...

need help or I will reformat
0
Comment
Question by:dabellei
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 9
  • 9
  • +1
30 Comments
 
LVL 2

Author Comment

by:dabellei
ID: 6964283
I want to delete my FTP directory completely
0
 
LVL 16

Expert Comment

by:GUEEN
ID: 6964292
OK IIS w/ a trail of dirs that you can't delete.  
Well the safest way is to back up what you need and reformat.  If you can't do this try this:

http://lists.jammed.com/crime/2002/01/0005.html
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q120716

Are you sure that it was a hacker and not the code red worm????
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31878

0
 
LVL 16

Expert Comment

by:GUEEN
ID: 6964297
First you need to 'take ownership' of the files then use regedt32 to give yourself back the rights.


0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 16

Expert Comment

by:GUEEN
ID: 6964298
If worse comes to worse - try ftping the system anonomously and see what you can do via that method.
0
 
LVL 16

Expert Comment

by:GUEEN
ID: 6964313
Also go to this link and test your shields (see which ports are not safe):
http://grc.com/intro.htm

Also here: http://www.eeye.com/html/Research/Tools/index.html
and check for nimda

Which firewall are you running?  
0
 
LVL 16

Expert Comment

by:GUEEN
ID: 6964328
Also if you do not have the Windows 2000 Server Resource Kit CD (if you do rm.exe is located in the apps\posix directory) download rm.exe here: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31878

You can use a commandline such as this to delete the entire ftp root:

posix /c c:\rm.exe -r "//C/Inetpub/ftproot

0
 
LVL 32

Expert Comment

by:jhance
ID: 6964350
It's generally not as bad as it looks with FTP hacks.  These are just illegal file names that confuse Windows Explorer.  But the trusty old CMD shell and short-file-names come to the rescue.

1) Open a CMD.EXE window.
2) CD to the top of the mess.
3) Use: DIR /X /A   to see the SHORT FILE NAMES of the files and directories there.
4) Use a combination of CD, RD, and DEL and the SHORT FILES names reported with DIR /X to delete your way to the bottom and then back up the tree removing the files on the way down and the directories on the way up.
5) Most likely there is NOT a protection issue here so you shouldn't need worry about ownership or file protections.

6) If you don't what this to happen again, secure your FTP service or if you don't need it, open the Management Console and just STOP the FTP service.
0
 
LVL 2

Author Comment

by:dabellei
ID: 6964351
can't find rm.exe can anybody send it to me?
0
 
LVL 32

Expert Comment

by:jhance
ID: 6964355
rm is a unix utility but you DON'T need it here.  Just follow the steps I detailed above.  CMD has everything you need to clean this up.
0
 
LVL 2

Author Comment

by:dabellei
ID: 6964363
well using a cmd windows does not work
0
 
LVL 16

Expert Comment

by:GUEEN
ID: 6964368
Dabellei -
I provided you with a link above to download it:
: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31878
0
 
LVL 16

Expert Comment

by:GUEEN
ID: 6964373
dabellei,
reading the links that I provided above will also be very helpful to you :)
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 6964377
>>>well using a cmd windows does not work

Did you follow jhance's instructions on what to do? If so please tell us what happened and what you did.


The Crazy One
0
 
LVL 2

Author Comment

by:dabellei
ID: 6964382
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31878 
this link brings me to codered download? not RM.

I did follow the others links as well, most of them are telling to use rm...
0
 
LVL 2

Author Comment

by:dabellei
ID: 6964383
WEll I got the short name one of them is com1~1 for the com1 dir when I delete it I did not got any error message but the dir was not removed
0
 
LVL 32

Expert Comment

by:jhance
ID: 6964387
Yes, using a CMD window DOES work.  I've done this type of cleaup many times.  (And as much as I hate to admit it, once for myself.....)

IF you are having difficulty with it, please SPECIFY what the problem is.  What you have on your system is a bunch or "tagged" folders and ripped DVD movies stored on your system.  Any idiot can download the tools that do this and it just goes out and scans for vulnerable FTP servers.

It's a pain and a nuisance but it's not nearly as malicious as it seems.
0
 
LVL 32

Expert Comment

by:jhance
ID: 6964389
You must DELETE EVERYTHING in and BELOW COM1~1 before you can delete it.  Like I said, delete files from top to bottom of the diretory hierarchy, and then delete the folders as you come back up.  It takes a few minutes but you'll be OK.
0
 
LVL 32

Expert Comment

by:jhance
ID: 6964395
Look at this link:

http://phatdelux.host.sk/FTP.htm

This is the way these things are used.  Note the goofy way the paths are made...  It's intentionally that way to confuse the issue.
0
 
LVL 2

Author Comment

by:dabellei
ID: 6964405
ok it is working for everything except some dir that have the name com1 and no short name....
0
 
LVL 32

Expert Comment

by:jhance
ID: 6964414
Look closer, there is a SHORT NAME.  Remember that even folder can have file extensions.
0
 
LVL 32

Expert Comment

by:jhance
ID: 6964415
If you can't see it, do a DIR /X /A and capture the output and post it here.
0
 
LVL 2

Author Comment

by:dabellei
ID: 6964423
how can I post it here?
0
 
LVL 2

Author Comment

by:dabellei
ID: 6964425
F:\InetPub\ftproot>dir /x/a
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot

2002-04-23  20:56       <DIR>                          .
2002-04-23  20:56       <DIR>                          ..
2002-04-23  20:54       <DIR>          020402~1        020402004133p
2002-04-13  09:41       <DIR>                          _bx
               0 File(s)              0 bytes
               4 Dir(s)   1 296 015 360 bytes free

F:\InetPub\ftproot>cd _bx

F:\InetPub\ftproot\_bx>dir
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx

2002-04-13  09:41       <DIR>          .
2002-04-13  09:41       <DIR>          ..
2002-03-27  11:16       <DIR>          01030139391
2002-03-27  11:16       <DIR>          013913913
2002-03-27  11:16       <DIR>          019391313
2002-03-27  11:17       <DIR>          024812321
2002-03-27  11:17       <DIR>          0312823192
2002-03-27  11:17       <DIR>          048129212
2002-03-27  11:17       <DIR>          0512381312
2002-04-13  09:42       <DIR>          0512381412
2002-03-27  11:17       <DIR>          061712812
2002-03-27  11:18       <DIR>          0813731312
2002-03-27  11:16       <DIR>          09130913013
               0 File(s)              0 bytes
              13 Dir(s)   1 296 015 360 bytes free

F:\InetPub\ftproot\_bx>dir /x/a
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx

2002-04-13  09:41       <DIR>                          .
2002-04-13  09:41       <DIR>                          ..
2002-03-27  11:16       <DIR>          010301~1        01030139391
2002-03-27  11:16       <DIR>          013913~1        013913913
2002-03-27  11:16       <DIR>          019391~1        019391313
2002-03-27  11:17       <DIR>          024812~1        024812321
2002-03-27  11:17       <DIR>          031282~1        0312823192
2002-03-27  11:17       <DIR>          048129~1        048129212
2002-03-27  11:17       <DIR>          051238~1        0512381312
2002-04-13  09:42       <DIR>          051238~2        0512381412
2002-03-27  11:17       <DIR>          061712~1        061712812
2002-03-27  11:18       <DIR>          081373~1        0813731312
2002-03-27  11:16       <DIR>          091309~1        09130913013
               0 File(s)              0 bytes
              13 Dir(s)   1 296 015 360 bytes free

F:\InetPub\ftproot\_bx>deltree
'deltree' is not recognized as an internal or external command,
operable program or batch file.

F:\InetPub\ftproot\_bx>cd 010301~1

F:\InetPub\ftproot\_bx\010301~1>dir
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx\010301~1

2002-03-27  11:16       <DIR>          .
2002-03-27  11:16       <DIR>          ..
               0 File(s)              0 bytes
               2 Dir(s)   1 296 015 360 bytes free

F:\InetPub\ftproot\_bx\010301~1>cd..

F:\InetPub\ftproot\_bx>rd 010301~1

F:\InetPub\ftproot\_bx>dir /x/a
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx

2002-04-23  20:57       <DIR>                          .
2002-04-23  20:57       <DIR>                          ..
2002-03-27  11:16       <DIR>          013913~1        013913913
2002-03-27  11:16       <DIR>          019391~1        019391313
2002-03-27  11:17       <DIR>          024812~1        024812321
2002-03-27  11:17       <DIR>          031282~1        0312823192
2002-03-27  11:17       <DIR>          048129~1        048129212
2002-03-27  11:17       <DIR>          051238~1        0512381312
2002-04-13  09:42       <DIR>          051238~2        0512381412
2002-03-27  11:17       <DIR>          061712~1        061712812
2002-03-27  11:18       <DIR>          081373~1        0813731312
2002-03-27  11:16       <DIR>          091309~1        09130913013
               0 File(s)              0 bytes
              12 Dir(s)   1 296 015 360 bytes free

F:\InetPub\ftproot\_bx>rd 013913~1

F:\InetPub\ftproot\_bx>rd 019391~1

F:\InetPub\ftproot\_bx>rd 024812~1

F:\InetPub\ftproot\_bx>rd 031282~1

F:\InetPub\ftproot\_bx>dir /x/a
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx

2002-04-23  20:58       <DIR>                          .
2002-04-23  20:58       <DIR>                          ..
2002-03-27  11:17       <DIR>          048129~1        048129212
2002-03-27  11:17       <DIR>          051238~1        0512381312
2002-04-13  09:42       <DIR>          051238~2        0512381412
2002-03-27  11:17       <DIR>          061712~1        061712812
2002-03-27  11:18       <DIR>          081373~1        0813731312
2002-03-27  11:16       <DIR>          091309~1        09130913013
               0 File(s)              0 bytes
               8 Dir(s)   1 294 991 360 bytes free

F:\InetPub\ftproot\_bx>rd 048129~1

F:\InetPub\ftproot\_bx>rd 051238~1

F:\InetPub\ftproot\_bx>rd 051238~2
The directory is not empty.

F:\InetPub\ftproot\_bx>rd 061712~1

F:\InetPub\ftproot\_bx>rd 081373~1
The directory is not empty.

F:\InetPub\ftproot\_bx>rd 091309~1

F:\InetPub\ftproot\_bx>dir /x/a
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx

2002-04-23  20:59       <DIR>                          .
2002-04-23  20:59       <DIR>                          ..
2002-04-13  09:42       <DIR>          051238~2        0512381412
2002-03-27  11:18       <DIR>          081373~1        0813731312
               0 File(s)              0 bytes
               4 Dir(s)   1 294 991 360 bytes free

F:\InetPub\ftproot\_bx>cd 051238~2

F:\InetPub\ftproot\_bx\051238~2>dir
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx\051238~2

2002-04-13  09:42       <DIR>          .
2002-04-13  09:42       <DIR>          ..
2002-04-13  09:42       <DIR>          ~tmp
               0 File(s)              0 bytes
               3 Dir(s)   1 294 991 360 bytes free

F:\InetPub\ftproot\_bx\051238~2>dir /x/a
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx\051238~2

2002-04-13  09:42       <DIR>                          .
2002-04-13  09:42       <DIR>                          ..
2002-04-13  09:42       <DIR>                          ~tmp
               0 File(s)              0 bytes
               3 Dir(s)   1 294 991 360 bytes free

F:\InetPub\ftproot\_bx\051238~2>rd ~tmp
The directory is not empty.

F:\InetPub\ftproot\_bx\051238~2>cd ~tmp

F:\InetPub\ftproot\_bx\051238~2\~tmp>dir
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx\051238~2\~tmp

2002-04-13  09:42       <DIR>          .
2002-04-13  09:42       <DIR>          ..
2002-04-23  19:09       <DIR>          ~    .Tagged
               0 File(s)              0 bytes
               3 Dir(s)   1 294 991 360 bytes free

F:\InetPub\ftproot\_bx\051238~2\~tmp>dir /x/a
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx\051238~2\~tmp

2002-04-13  09:42       <DIR>                          .
2002-04-13  09:42       <DIR>                          ..
2002-04-23  19:09       <DIR>          ~8283~1.TAG     ~    .Tagged
               0 File(s)              0 bytes
               3 Dir(s)   1 294 991 360 bytes free

F:\InetPub\ftproot\_bx\051238~2\~tmp>rd ~8283~1.tag
The directory is not empty.

F:\InetPub\ftproot\_bx\051238~2\~tmp>cd ~8283~1.tag

F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG>dir
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG

2002-04-23  19:09       <DIR>          .
2002-04-23  19:09       <DIR>          ..
2002-04-13  09:42       <DIR>          ~by Bricole
               0 File(s)              0 bytes
               3 Dir(s)   1 294 991 360 bytes free

F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG>dir /x/a
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG

2002-04-23  19:09       <DIR>                          .
2002-04-23  19:09       <DIR>                          ..
2002-04-13  09:42       <DIR>          ~BYBRI~1        ~by Bricole
               0 File(s)              0 bytes
               3 Dir(s)   1 294 991 360 bytes free

F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG>cd ~bybri~1

F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG\~BYBRI~1>dir
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG\~BYBRI~1

2002-04-13  09:42       <DIR>          .
2002-04-13  09:42       <DIR>          ..
2002-04-23  19:09       <DIR>          com4
               0 File(s)              0 bytes
               3 Dir(s)   1 294 991 360 bytes free

F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG\~BYBRI~1>dir /x/a
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG\~BYBRI~1

2002-04-13  09:42       <DIR>                          .
2002-04-13  09:42       <DIR>                          ..
2002-04-23  19:09       <DIR>                          com4
               0 File(s)              0 bytes
               3 Dir(s)   1 294 991 360 bytes free

F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG\~BYBRI~1>dir /x/a
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG\~BYBRI~1

2002-04-13  09:42       <DIR>                          .
2002-04-13  09:42       <DIR>                          ..
2002-04-23  19:09       <DIR>                          com4
               0 File(s)              0 bytes
               3 Dir(s)   1 294 991 360 bytes free

F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG\~BYBRI~1>dir /x/a
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG\~BYBRI~1

2002-04-13  09:42       <DIR>                          .
2002-04-13  09:42       <DIR>                          ..
2002-04-23  19:09       <DIR>                          com4
               0 File(s)              0 bytes
               3 Dir(s)   1 294 991 360 bytes free

F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG\~BYBRI~1>dir /x/a
 Volume in drive F is Local Disk
 Volume Serial Number is 8074-B9D9

 Directory of F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG\~BYBRI~1

2002-04-13  09:42       <DIR>                          .
2002-04-13  09:42       <DIR>                          ..
2002-04-23  19:09       <DIR>                          com4
               0 File(s)              0 bytes
               3 Dir(s)   1 294 991 360 bytes free

F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG\~BYBRI~1>
0
 
LVL 32

Expert Comment

by:jhance
ID: 6964428
OK, with the COM4 files or folders see:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q120716
0
 
LVL 32

Expert Comment

by:jhance
ID: 6964432
The last part of the article is what you want:


Another option is to use a syntax that bypasses the normal reserve-word checks altogether. For example, you can possibly delete any file with a command such as:
DEL \\.\ driveletter :\ path \ filename
For example:

DEL \\.\c:\somedir\aux

So you should be able to do:

CD \\.\F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG\~BYBRI~1\COM4

to get into it and:

RMDIR \\.\F:\InetPub\ftproot\_bx\051238~2\~tmp\~8283~1.TAG\~BYBRI~1\COM4

to delete the folder once it's empty.
0
 
LVL 16

Expert Comment

by:GUEEN
ID: 6964443
Thankx jhance for posting my link in your last post!
dabellei - here is rm.exe:
http://www.naturalpondsandlandscapes.com/paq/RM.zip
0
 
LVL 32

Accepted Solution

by:
jhance earned 1600 total points
ID: 6964453
Sorry, not intending to step on any toes.

BTW, you should not need to download rm.exe.  It's included with W2K.

But you don't need it anyway.
0
 
LVL 2

Author Comment

by:dabellei
ID: 6964459
Thnaks for your help guys it did work and everything is clean.

shekerra  I will post another question for you to answer and give you points as well, thanks to you guy.
0
 
LVL 32

Expert Comment

by:jhance
ID: 6964466
Glad to help.  Be sure you close the holes that were used to get into this.  It's generally just anonymouse FTP with WRITE permissions in the directories.  If you want to have FTP make it read only for anonymous.
0
 
LVL 16

Expert Comment

by:GUEEN
ID: 6964479
Also be sure to check your ports at http://grc.com/intro.htm
and yes jhance you are welcome.
0

Featured Post

What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question