?
Solved

Hacher locked folders - removal

Posted on 2003-03-06
25
Medium Priority
?
2,359 Views
Last Modified: 2008-02-01
Some hackers created a bunch of files and folders on my Win 2000 server.
Those are locked, unremovable.

By renaming in dos box, and removing with an old dos tool I cound delete a lot of them, not all.

One of the folders is a 12 levels deep structure like this:

aux \ \ \prn \locked\ nul \locked by\c etc.

I managed to rename the parent, and from within DOS I tried to delete the parentfolder with a deltree (from Win 98)
Even this I can't do

Is there a tool to remove those FXT dirs or a quick method to do so?
I cannot reformat the drive as I would, it holds 100+ gigs of data which takes too long te restore from backup.

0
Comment
Question by:engeltje
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 4
  • +5
25 Comments
 
LVL 9

Expert Comment

by:MSGeek
ID: 8081599
Have you taken ownership of these folders and enabled inheritance and reset permissions?
0
 
LVL 7

Expert Comment

by:YarnoSG
ID: 8081719
I second the MSGeek Proposal, but add that you should be sure you no longer have trojans, etc.  

Virus Scan
Adware Scan
Firewall
Audit Your Permissions, and lock them DOWN!


HTH

-Steven Yarnot
http://yarnosg.home.insightbb.com
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8081871
To add to Steve's input.. you may want to run MSBA as well.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Expert Comment

by:studios
ID: 8081881
In your DOS window, try navigating down to the directory/directories holding the problem files.  I notice that there are spaces in the names.  Try putting quotes around your command arguments:

cd "aux\\\prn \locked\nul"  for instance

when you get into that directory, you can often work with files using wild cards that you can't reach using individual file names.


Also, the ATTRIB DOS command still works - use it to strip off hidden and read-only attributes.

0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8082054
to add to studio's advice the "dir /x" command will give you the dierctory and file names in 8.3 format.
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 8083704
I wouldn't trust that simply removing these folders is going to get rid of your problems, chances are there is a back door somewhere on your PC that will still be there after these files are gone, you will see similar ones come right back. Hackers remember where they were able to gain access and they will share that information with others as well.

The first thing I would do if possible is to change the IP on the server so it isn't the same as it was when they obtained access. Then you should seriously consider rebuilding it and properly securing it this time. Being "tagged" usually means you applied little or no security to your server and definitely not up to date with patches and updates.

TKK
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8083773
TKK, where have you been???  I was going to say rebuild as well, but I usually get a grade of C or B when I tell someone that.  They just don't like to hear it.  Good advice as always.
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 8083951
LOL, I know I hate to tell people they should rebuild as well but I'm only stating exactly what it is that I would do. I've never been "tagged" though, not a company system anyway, I've setup some honeypots before though ;)

I've been getting ready to move, I was laid-off from work recently so I've been mostly studying for more letters after my name, hehe. Going to get my MCT & CCSI soon so I can teach. This economy is something else man, no more jobs where I live so I go to where the jobs are. I haven't had to find a job in about 5 years and things have really changed and not for the better. I'll be lucky if I don't have to take a pay cut cause I probably wont be able to walk right into another management position without a degree, I have to be promoted from within like in my last job.

TKK
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8084067
I'm in the same shoes, get ready for a rough ride.  You've got the right idea.  I just wonder, I think sometimes we help those on this site that may be taking a job away from us?

Sorry engeltje for the banter in your question.
0
 
LVL 8

Author Comment

by:engeltje
ID: 8101790
Till now, security is no problem at all. This server is a kind of sandbox server. Everyone may use it. The real server is hidden behind firewall behind my security rules. A sandbox server is a fake. Hack it, I don't care, I isn't the real server ;)
The real server has never been hacked nor tagged.
This FTP server is a server which everyone can use. There is no limitation except, I placed a message on the server  stating I can delete content I find which has not to be on the server and they may NOT lock the folders. Just ASK one and they get one. After hours I pull open the line, so they get full access.

Now, some *ssh*les DID lock folders. I deleted all content I could from these folders, but I seem to be unable (even using old dos tools) to remove the folders themselves.

I don't want to close down the server. It is better a portscanner finds a result, and results in an open port on a server I don't need. Let them use it, but I don't want offensive content. I want to delete this whenever I feel the need for it. Locking folders, I find offensive, knowing they MAY create a folder and use it.
That's why I want thost folders gone.
They will come back, I know.
I could restart the server, boot a linux-floppy and kill the content of the folders. Isn't there a possibility or tool for W2K being able to kill this folder without restarting the server. I then *could* automate the process.



For now the question is: How to drop those locked folders. I can format the drive fot do not want to delete the content from users who did follow the rules.
I don't want to open a port to the real network (for making a copy first) cause there is many data on it, and I don't trust the content neither. It is a serious risk to pull dangerous content into a secured network.

BTW: I don't take away any jobs... hehe I am admin for about 12 years at the same place. If we really got hacked, I wouldn't stop seeking for a sollution till found one. For now, I just have a minor inconvinience, but, I want to know, I want to learn to encounter this form of dirlocking.


0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8103012
What can you tell us about the properties of the folders and related registry entries?  What error do you get when you attempt to delete these paticular folders?
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 8103189
Oh ok I see now, this isn't a situation were a hacker obtained illegal access to your server. This is a public FTP server where some one has uploaded folders were it acts like you've been tagged. If this is the case then you probably don't have a backdoor trojan then. I'm guessing your getting an "access denied" when trying to delete these folders. Let me confer with some hacking buddies to see if they have any toolz for this and I will get back.

TKK
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 8103254
To create a locked folder in Microsoft Windows, launch Windows Explorer and navigate to the directory one level above the folder you want to lock. Click Run... in the Start menu, type the word command, and press Enter. A command window will open in the folder displayed by Explorer. Suppose the folder's name is Private; enter the command ren private privateX, but instead of typing X, hold down the Alt key and type 255. To unlock the folder from the command prompt, enter ren privateX private (again replacing X with Alt-255). When the folder is locked, Windows won't be able to open it, though it will be visible as Private.

This was something that used to work on 95 & 98, don't know if it will with 2000 but it's worth a try.

TKK
0
 
LVL 9

Accepted Solution

by:
TooKoolKris earned 800 total points
ID: 8103583
Found some things, It's going to require some reading, which in my opinion is always a good thing.

http://securityadmin.info/faq.htm#ftpfolder

http://www.annoyances.org/exec/forum/win2000/r1010722628

Hope these help some,

TKK
0
 
LVL 8

Author Comment

by:engeltje
ID: 8110246
The RM.EXE can delete posix apps.
With this resourcekit tool, I can delete all invalid folders no matter how deep and how protected the stuct is.

Tnx TKK, you helped me out.
I am going to shut down the posix subsystem in NT, so no more hidden folders can be made...

0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 8111129
Cool, I wasn't sure if that was going to do anything for you or not. I'm glad it helped :)

TKK
0
 

Expert Comment

by:manch03
ID: 8544486
Where do I get the rm.exe tool?  I have both the win2000 server resource kit and win2000 professional and I do not see it anywhere.
0
 
LVL 4

Expert Comment

by:jtwine100697
ID: 9788496
  You might want to consider actually using an application that was specifically designed for this purpose:

      http://www.jrtwine.com/Products/DelFXPFiles

   The unregistered (free) version will delete these kinds of files/folders with greater ease.  [Read: not a sales pitch, because a sale is not required to use the product to solve the stated problem!]

   Also, you do *not* need the POSIX subsystem in place to create directories that use reserved identifiers like "NUL'. "COM", etc.

   Peace!

-=- James
0
 

Expert Comment

by:gfaccinetto
ID: 11735909
This thing about using dir /x to see folder names in 8.3 format really works.
After knowing the 8.3  folder name, then just delete it by using  rmdir /S /Q  folder~1.nam
0
 
LVL 4

Expert Comment

by:jtwine100697
ID: 11735990
  Using DIR /x to get the shortened filename can still fail if the underlying path is long enough.  Create a path with a length greater than MAX_PATH (259 characters) and you will see what I mean.  Try it with some REALLY long paths, like in excess of 1KB or 2KBs.  

   And yes, it is possible to create paths that long if you know how...  If you do not know how, you cannot make a blanet statement about what will work for all situations.  Just something to think about...

   Peace!

-=- James.
0
 

Expert Comment

by:gfaccinetto
ID: 11736386
I couldn't find the place where I  wrote that this will work for ALL SITUATIONS. It worked with some tests I made. Sorry if my  non-scientific method disturbs you in any way.  

For those non-enlighted who look for a fast solution, you may give a try with dir /x and rmdir /S /Q. If it works, you don't need to download or  even buy  DelFXPFiles. If it doesn't, then ask James for a wiser advice.

PEACE!

gf
0
 
LVL 4

Expert Comment

by:jtwine100697
ID: 11736537
  My post was a general comment, not addressed to anyone in particular, just in case anyone continues to be confused about that.  Its purpose was the same as most of my other post(s): to enlighten others, and point out about common, but incorrect, assumptions and beliefs.  

   However, you raise an interesting point, 'gfaccinetto'; you wrote:

>         "This thing about using dir /x to see folder names in 8.3 format really works."

   "Really works" for what?  No situations, all situations, your situation...?  What situation or situations were you referring to here?

   Lastly, shouting (i.e. ALL CAPS) is generally demonstrative of a lack or loss of control.  Coupled with a (poor) attempt at sarcasm, it places you in a bad light.  -- You might want to project a more professional look in the future.  

   Peace!

-=- James.
0
 

Expert Comment

by:gfaccinetto
ID: 11737714
Now you're complaining  because I  ignored netiquette rules and because of my not-so-good sarcasms.  Never seen this kind of jerk before!.

You may say I lose control because a don't observe netiquette rules and whatever, but not because you think you know about some  topics, you may be so arrogant with your postings. You're not even  within the best ranked at Experts Exchange, so how do you pretend to "enlighten" others?    I can tell you about  a very  important lack of knowledge you have, and it is about using polite manners to make your contributions.

You might want to think  about that before just spilling a solution.



0
 
LVL 4

Expert Comment

by:jtwine100697
ID: 11739466
>> Now you're complaining because I ignored netiquette rules and
>> because of my not-so-good sarcasms.

You seem to be somewhat confused; I complained about nothing.  I stated the purpose of my posts, and made an observation regarding yours (an observation, not a critique; note the difference).  Please read it again until this becomes clear.  Also, netiquette has a time and place.  I do not expect "netiquette", or even "polite", here on EE, I expect professionalism.  Being professional and being "nice"/"polite" are two very different things, despite what the naïve may have you believe.

For example, being professional is pointing out possible flaws in a solution before someone wastes their time trying it out, or finding out that, despite any evidence to the contrary, it may fail under certain situations.  I have seen your proposed solution fail, I brought that fact to your attention.  It is then your place to learn from that knowledge.  Being professional also means clarifying unknowns, hence my previous (and, for some unknown reason, *still* unanswered) question to you regarding what situations your solution "really works" for.

>> You're not even within the best ranked at Experts Exchange, so how do
>> you pretend to "enlighten" others

When I first started at EE, I was quite active.  Then it degraded into a place where some so-called experts, who lack the technical acumen to be considered an "expert", posted so-called solutions which were, to be quite frank, "half-assed" most of the time, and never considered that just become something "works" does not mean that it is correct.  Then came posts from “Admins” and users that had absolutely no business participating in a thread, thus ruining it.

You might want to actually read the items that I participated in before rendering an opinion on me.  

Lastly, I do not have to be "within the best ranked" in order to be helpful.  I am certain that you have some knowledge that others could benefit from, or experience with a particular problem, despite having an expert score of zero, right?  To assume otherwise would be terribly naïve.  All that is required is that I (1) have knowledge of the problem at hand, (2) have experience with solutions to/for it, which results in (3) having the wisdom to provide a good solution to the problem.  Not just a solution, a *good* solution.  Anything else is a waste of time.

Please refrain from personal attacks in the future.  I have not done so to you (yet), so it is neither professional nor under considered proper "netiquette" for you to do so.

Peace!

-=- James.
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 11740603
Gentlemen.. it takes two to tango, please leave it be.  Let this be the last word on the subject.  Thanks, MSGeek.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This is a fine trick which I've found useful many times, when you just don't want to accidentally run a batch script or the commands needs administrator rights.
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses
Course of the Month12 days, 22 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question