Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2360
  • Last Modified:

Hacher locked folders - removal

Some hackers created a bunch of files and folders on my Win 2000 server.
Those are locked, unremovable.

By renaming in dos box, and removing with an old dos tool I cound delete a lot of them, not all.

One of the folders is a 12 levels deep structure like this:

aux \ \ \prn \locked\ nul \locked by\c etc.

I managed to rename the parent, and from within DOS I tried to delete the parentfolder with a deltree (from Win 98)
Even this I can't do

Is there a tool to remove those FXT dirs or a quick method to do so?
I cannot reformat the drive as I would, it holds 100+ gigs of data which takes too long te restore from backup.

0
engeltje
Asked:
engeltje
  • 7
  • 6
  • 4
  • +5
1 Solution
 
MSGeekCommented:
Have you taken ownership of these folders and enabled inheritance and reset permissions?
0
 
YarnoSGCommented:
I second the MSGeek Proposal, but add that you should be sure you no longer have trojans, etc.  

Virus Scan
Adware Scan
Firewall
Audit Your Permissions, and lock them DOWN!


HTH

-Steven Yarnot
http://yarnosg.home.insightbb.com
0
 
MSGeekCommented:
To add to Steve's input.. you may want to run MSBA as well.
0
[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

 
studiosCommented:
In your DOS window, try navigating down to the directory/directories holding the problem files.  I notice that there are spaces in the names.  Try putting quotes around your command arguments:

cd "aux\\\prn \locked\nul"  for instance

when you get into that directory, you can often work with files using wild cards that you can't reach using individual file names.


Also, the ATTRIB DOS command still works - use it to strip off hidden and read-only attributes.

0
 
MSGeekCommented:
to add to studio's advice the "dir /x" command will give you the dierctory and file names in 8.3 format.
0
 
TooKoolKrisCommented:
I wouldn't trust that simply removing these folders is going to get rid of your problems, chances are there is a back door somewhere on your PC that will still be there after these files are gone, you will see similar ones come right back. Hackers remember where they were able to gain access and they will share that information with others as well.

The first thing I would do if possible is to change the IP on the server so it isn't the same as it was when they obtained access. Then you should seriously consider rebuilding it and properly securing it this time. Being "tagged" usually means you applied little or no security to your server and definitely not up to date with patches and updates.

TKK
0
 
MSGeekCommented:
TKK, where have you been???  I was going to say rebuild as well, but I usually get a grade of C or B when I tell someone that.  They just don't like to hear it.  Good advice as always.
0
 
TooKoolKrisCommented:
LOL, I know I hate to tell people they should rebuild as well but I'm only stating exactly what it is that I would do. I've never been "tagged" though, not a company system anyway, I've setup some honeypots before though ;)

I've been getting ready to move, I was laid-off from work recently so I've been mostly studying for more letters after my name, hehe. Going to get my MCT & CCSI soon so I can teach. This economy is something else man, no more jobs where I live so I go to where the jobs are. I haven't had to find a job in about 5 years and things have really changed and not for the better. I'll be lucky if I don't have to take a pay cut cause I probably wont be able to walk right into another management position without a degree, I have to be promoted from within like in my last job.

TKK
0
 
MSGeekCommented:
I'm in the same shoes, get ready for a rough ride.  You've got the right idea.  I just wonder, I think sometimes we help those on this site that may be taking a job away from us?

Sorry engeltje for the banter in your question.
0
 
engeltjeAuthor Commented:
Till now, security is no problem at all. This server is a kind of sandbox server. Everyone may use it. The real server is hidden behind firewall behind my security rules. A sandbox server is a fake. Hack it, I don't care, I isn't the real server ;)
The real server has never been hacked nor tagged.
This FTP server is a server which everyone can use. There is no limitation except, I placed a message on the server  stating I can delete content I find which has not to be on the server and they may NOT lock the folders. Just ASK one and they get one. After hours I pull open the line, so they get full access.

Now, some *ssh*les DID lock folders. I deleted all content I could from these folders, but I seem to be unable (even using old dos tools) to remove the folders themselves.

I don't want to close down the server. It is better a portscanner finds a result, and results in an open port on a server I don't need. Let them use it, but I don't want offensive content. I want to delete this whenever I feel the need for it. Locking folders, I find offensive, knowing they MAY create a folder and use it.
That's why I want thost folders gone.
They will come back, I know.
I could restart the server, boot a linux-floppy and kill the content of the folders. Isn't there a possibility or tool for W2K being able to kill this folder without restarting the server. I then *could* automate the process.



For now the question is: How to drop those locked folders. I can format the drive fot do not want to delete the content from users who did follow the rules.
I don't want to open a port to the real network (for making a copy first) cause there is many data on it, and I don't trust the content neither. It is a serious risk to pull dangerous content into a secured network.

BTW: I don't take away any jobs... hehe I am admin for about 12 years at the same place. If we really got hacked, I wouldn't stop seeking for a sollution till found one. For now, I just have a minor inconvinience, but, I want to know, I want to learn to encounter this form of dirlocking.


0
 
MSGeekCommented:
What can you tell us about the properties of the folders and related registry entries?  What error do you get when you attempt to delete these paticular folders?
0
 
TooKoolKrisCommented:
Oh ok I see now, this isn't a situation were a hacker obtained illegal access to your server. This is a public FTP server where some one has uploaded folders were it acts like you've been tagged. If this is the case then you probably don't have a backdoor trojan then. I'm guessing your getting an "access denied" when trying to delete these folders. Let me confer with some hacking buddies to see if they have any toolz for this and I will get back.

TKK
0
 
TooKoolKrisCommented:
To create a locked folder in Microsoft Windows, launch Windows Explorer and navigate to the directory one level above the folder you want to lock. Click Run... in the Start menu, type the word command, and press Enter. A command window will open in the folder displayed by Explorer. Suppose the folder's name is Private; enter the command ren private privateX, but instead of typing X, hold down the Alt key and type 255. To unlock the folder from the command prompt, enter ren privateX private (again replacing X with Alt-255). When the folder is locked, Windows won't be able to open it, though it will be visible as Private.

This was something that used to work on 95 & 98, don't know if it will with 2000 but it's worth a try.

TKK
0
 
TooKoolKrisCommented:
Found some things, It's going to require some reading, which in my opinion is always a good thing.

http://securityadmin.info/faq.htm#ftpfolder

http://www.annoyances.org/exec/forum/win2000/r1010722628

Hope these help some,

TKK
0
 
engeltjeAuthor Commented:
The RM.EXE can delete posix apps.
With this resourcekit tool, I can delete all invalid folders no matter how deep and how protected the stuct is.

Tnx TKK, you helped me out.
I am going to shut down the posix subsystem in NT, so no more hidden folders can be made...

0
 
TooKoolKrisCommented:
Cool, I wasn't sure if that was going to do anything for you or not. I'm glad it helped :)

TKK
0
 
manch03Commented:
Where do I get the rm.exe tool?  I have both the win2000 server resource kit and win2000 professional and I do not see it anywhere.
0
 
jtwine100697Commented:
  You might want to consider actually using an application that was specifically designed for this purpose:

      http://www.jrtwine.com/Products/DelFXPFiles

   The unregistered (free) version will delete these kinds of files/folders with greater ease.  [Read: not a sales pitch, because a sale is not required to use the product to solve the stated problem!]

   Also, you do *not* need the POSIX subsystem in place to create directories that use reserved identifiers like "NUL'. "COM", etc.

   Peace!

-=- James
0
 
gfaccinettoCommented:
This thing about using dir /x to see folder names in 8.3 format really works.
After knowing the 8.3  folder name, then just delete it by using  rmdir /S /Q  folder~1.nam
0
 
jtwine100697Commented:
  Using DIR /x to get the shortened filename can still fail if the underlying path is long enough.  Create a path with a length greater than MAX_PATH (259 characters) and you will see what I mean.  Try it with some REALLY long paths, like in excess of 1KB or 2KBs.  

   And yes, it is possible to create paths that long if you know how...  If you do not know how, you cannot make a blanet statement about what will work for all situations.  Just something to think about...

   Peace!

-=- James.
0
 
gfaccinettoCommented:
I couldn't find the place where I  wrote that this will work for ALL SITUATIONS. It worked with some tests I made. Sorry if my  non-scientific method disturbs you in any way.  

For those non-enlighted who look for a fast solution, you may give a try with dir /x and rmdir /S /Q. If it works, you don't need to download or  even buy  DelFXPFiles. If it doesn't, then ask James for a wiser advice.

PEACE!

gf
0
 
jtwine100697Commented:
  My post was a general comment, not addressed to anyone in particular, just in case anyone continues to be confused about that.  Its purpose was the same as most of my other post(s): to enlighten others, and point out about common, but incorrect, assumptions and beliefs.  

   However, you raise an interesting point, 'gfaccinetto'; you wrote:

>         "This thing about using dir /x to see folder names in 8.3 format really works."

   "Really works" for what?  No situations, all situations, your situation...?  What situation or situations were you referring to here?

   Lastly, shouting (i.e. ALL CAPS) is generally demonstrative of a lack or loss of control.  Coupled with a (poor) attempt at sarcasm, it places you in a bad light.  -- You might want to project a more professional look in the future.  

   Peace!

-=- James.
0
 
gfaccinettoCommented:
Now you're complaining  because I  ignored netiquette rules and because of my not-so-good sarcasms.  Never seen this kind of jerk before!.

You may say I lose control because a don't observe netiquette rules and whatever, but not because you think you know about some  topics, you may be so arrogant with your postings. You're not even  within the best ranked at Experts Exchange, so how do you pretend to "enlighten" others?    I can tell you about  a very  important lack of knowledge you have, and it is about using polite manners to make your contributions.

You might want to think  about that before just spilling a solution.



0
 
jtwine100697Commented:
>> Now you're complaining because I ignored netiquette rules and
>> because of my not-so-good sarcasms.

You seem to be somewhat confused; I complained about nothing.  I stated the purpose of my posts, and made an observation regarding yours (an observation, not a critique; note the difference).  Please read it again until this becomes clear.  Also, netiquette has a time and place.  I do not expect "netiquette", or even "polite", here on EE, I expect professionalism.  Being professional and being "nice"/"polite" are two very different things, despite what the naïve may have you believe.

For example, being professional is pointing out possible flaws in a solution before someone wastes their time trying it out, or finding out that, despite any evidence to the contrary, it may fail under certain situations.  I have seen your proposed solution fail, I brought that fact to your attention.  It is then your place to learn from that knowledge.  Being professional also means clarifying unknowns, hence my previous (and, for some unknown reason, *still* unanswered) question to you regarding what situations your solution "really works" for.

>> You're not even within the best ranked at Experts Exchange, so how do
>> you pretend to "enlighten" others

When I first started at EE, I was quite active.  Then it degraded into a place where some so-called experts, who lack the technical acumen to be considered an "expert", posted so-called solutions which were, to be quite frank, "half-assed" most of the time, and never considered that just become something "works" does not mean that it is correct.  Then came posts from “Admins” and users that had absolutely no business participating in a thread, thus ruining it.

You might want to actually read the items that I participated in before rendering an opinion on me.  

Lastly, I do not have to be "within the best ranked" in order to be helpful.  I am certain that you have some knowledge that others could benefit from, or experience with a particular problem, despite having an expert score of zero, right?  To assume otherwise would be terribly naïve.  All that is required is that I (1) have knowledge of the problem at hand, (2) have experience with solutions to/for it, which results in (3) having the wisdom to provide a good solution to the problem.  Not just a solution, a *good* solution.  Anything else is a waste of time.

Please refrain from personal attacks in the future.  I have not done so to you (yet), so it is neither professional nor under considered proper "netiquette" for you to do so.

Peace!

-=- James.
0
 
MSGeekCommented:
Gentlemen.. it takes two to tango, please leave it be.  Let this be the last word on the subject.  Thanks, MSGeek.
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 7
  • 6
  • 4
  • +5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now