Solved

# COM1 Foler HACKER!!!

Posted on 2003-11-03
688 Views
SORRY, I Only have 150 points...I still really need some assistance

I have a slightly different twist.  When i try to delete the COM1 dir, I get:

Directory of C:\Inetpub\ftproot

11/03/2003  08:29p      <DIR>          .
11/03/2003  08:29p      <DIR>          ..
11/03/2003  04:10p      <DIR>          COM1
11/09/2000  11:23p              24,576 ForceDel.exe
11/03/2003  08:29p      <DIR>          NtSystemInfo
11/03/2003  08:20p                  56 trash.bat
11/03/2003  08:20p                  87 trash2.bat
3 File(s)         24,719 bytes
4 Dir(s)     810,123,264 bytes free

C:\Inetpub\ftproot>del com1
The filename, directory name, or volume label syntax is incorrect.

For a little more detail, read on:

I know very little about hacking or the like. I have a problem I hope someone can help me with.

My FTP server is getting modified by someone or something. I am running IIS on win2k server. I have NAV Corporate Edition 2.7. I have a hardware-based firewall with ports open for FTP, SMTP, POP, HTTP and Terminal Services. I also have Exchange Server running.

Basically, my FTP site in IIS either has its Home Directory changed to some odd path pointing to a COM1 directory-This directory cannot be deleted. Sometimes the FTP server is stoppped and a version of serv-u is started on its port of 21. One time, my FTP server had its port changed to 51 and the serv-u took port 21.

I have tried POSIX - keeps telling me that the process cannot start and FPORT which has been useful to track serv-u.

I don't know what else to do. Everytime I seem to clear it up, it comes back.
_________________
David H. Little
Chief Technology Officer
RXI Software
0
Question by:rxiuser
• 3
• 2

LVL 5

Expert Comment

0

LVL 5

Accepted Solution

juliancrawford earned 75 total points
I also found this article by Microsoft which relates to your issue ..
http://support.microsoft.com/default.aspx?scid=kb;en-us;120716

How to Remove Files with Reserved Names in Windows

Applies To
This article was previously published under Q120716
SUMMARY
Because programs control the policy for creating files in Windows, files sometimes are created by using names that are not valid or reserved names, such as LPT1 or PRN. This article describes how to delete such files by using the standard user interface.
NOTE: You must be logged on locally to the Windows computer to delete these files.

If the file was created on a file allocation table (FAT) partition, you may be able to delete it under MS-DOS by using standard command line utilities (such as DEL) with wildcard(s). For example:
DEL PR?.*

-or-
DEL LPT?.*
These commands do not work on an NTFS file system partition as NTFS supports the POSIX subsystem and filenames such as PRN are valid under this subsystem. However, the operating system assumes the program that created them can also delete them; therefore, you can use commands native to the POSIX subsystem.

You can delete (unlink) these files using a simple, native POSIX program. For example, the Windows Resource Kit includes such a tool, Rm.exe.

NOTE: POSIX commands are case sensitive. Drives and folders are referenced differently than in MS-DOS. Windows 2000 and later POSIX commands must use the following usage syntax:
posix /c <path\command> [<args>] IE: posix /c c:\rm.exe -d AUX.

Usage assumes Rm.exe is either in the path, or the current folder:
rm -d //driveletter/path using forward slashes/filename

For example, to remove a file or folder named COM1 (located at C:\Program Files\Subdir in this example), type the following command:
rm -d "//C/Program Files/Subdir/COM1"

To remove a folder and all of the its contents (C:\Program Files\BadFolder in this example), type the following command:
rm -r "//C/Program Files/BadFolder"

Another option is to use a syntax that bypasses the typical reserve-word checks completely. For example, you can possibly delete any file with a command such as:
DEL \\.\driveletter:\path\filename

For example:
DEL \\.\c:\somedir\aux

If the name in the file system appears as a directory, use the following syntax.

For example, you can possibly delete any directory with a command such as:
RD \\.\<driveletter>:\<path>\<directory name>

For example:
RD \\.\c:\somedir\aux

-or-

RmDir \\.\<driveletter>:\<path>\<directory>

For example:
RmDir \\.\C:\YourFTP_ROOT's_PATH\COM1 /s /q

/s-This switch removes all directories and files in the specified directory and also the directory itself. This switch also removes a directory tree.

/q-This switch stands for Quiet mode. Do not ask if you can remove a directory tree that contains the /s switch.
0

LVL 24

Assisted Solution

SunBow earned 75 total points
This is a common problem, try to not feel too bad just yet.  I've seen several tricks such as above, and no sign of it working for asker.  So the cures may be version dependent.

What has happenend, is you have had the machine set up as a server to allow anyone in the entire world to have free access to your disk drive, whether setup programs were that explicit or not.  Using your freely offered service, some people have found your machine and taken advantage of your offer. This is very legal of course, because you were configured be so friendly and kind.

Who knows what all they have stored or run on your machine to give them even other rights?  They are minimally in a position to eat up your disk drive with files they may not even care about, and quite often they are large files. If you want to get back at somebody, contact law enforcement in your community. So far what you have said is not a crime. But it is done by those disposed to crimes, for example, in the programs dumped on your machine. If they are music files and you do not report it, the RIAA may sue you for $150K each one. They have a guiilty until proven innocent policy, and legal defense to their processes begin at$20K. A separate issue from your liability is that the (legal) intruders are likely to place illegal files on your machine, then come back to pick them up again later. Law enforcement is convicting them by the hundreds, you might want to help get a few more. Your machine, your life. Freedom is so simple, right?

If you just want your life back, I recommend reviewing proper security practices, and reinstall your system using better security. Yes. Completely format. How many other security infractions were there? Best I think to make a clean new start, and don't donate your machine, its cycles, or hard drive, to anonymous users to do with as they please because you trust them.

As you have probably figured out, their are multipl flaws in the MS OS, where files and directories can crop up that are all but impossible for a general user to create, change, delete, rename, etc.  Try to create one of them yourself. Doesn't work, does it.  In addition to those problems, the intruder can use non-displayable characters to increase the problem you have deleting them.  I recommend you not go to battle with them, trying to go toe for toe with these tricks of doings and undoings.  Recognize that some people won't tell you how this is accomplished, because the information can be used by other intruder wannabes who have not been convicted yet.

Answer 1: Format all, reInstall from scratch
Answer 2: Contact law enforcement at a high level
0

LVL 24

Expert Comment

OTOH, Check this site out:
http://news.netcraft.com/archives/2003/11/index.html

"In the November 2003 survey we received responses from 44,946,965 sites.

Apache has a significant percentage gain this month as register.com, a leading domain registrar with a domain parking system serving responses for over one million domains eliminated its Windows front end, and reverted to Linux and Apache which it ran previously. Barely weeks ago its largest rival, Network Solutions made a similar switch from Microsoft-IIS back to SunOne, nee Netscape-Enterprise, for its own domain parking system.

During 2001 and the first half of 2002 several companies hosting very large numbers of hostnames including Webjump, Namezero, Homestead, register.com and Network Solutions migrated to Microsoft-IIS. Subsequently these businesses have either failed, significantly changed their business model, or reverted to their previous platform, and Microsoft-IIS share is now in line with its long term pre-summer 2001 level of around 20%. "

Look at the graph. Look at the numbers:

Top Developers

Developer     October 2003 Percent   November 2003 Percent Change

Apache               28235972   64.61      30298060    67.41       2.80
Microsoft            10252227   23.46         9449180    21.02     -2.44
SunONE               1528090     3.50          1525202     3.39      -0.11
Zeus                      735179     1.68            743611     1.65      -0.03

Can you think of a reason for these proportions? If you could not before, can you come up with something now?  The top choice favored over 2 to 1 over a contender. Still.  Why not join the crowd.

Answer 3: Switch to Apache
0

LVL 24

Expert Comment

(or switch to Sun, et al.  From the above, about 80% avoid Microsoft IIS despite its inherent, um, ease of use, attention to security, and suite packaging and marketing.  In all, that is more like a 4-1 vote against the one with the bigger name, which should be considered as significant, despite MS quoting this website as supporting their claim of their company being #1 and over 50%. A claim some of us think is an exaggeration)
0

LVL 8

Expert Comment

on that note:
OS2 warp is incredibly solid and i have seen a total of 0 vulnerabilities in the OS over the past 5 years.

:) its what i use for my web server
0

## Join & Write a Comment Already a member? Login.

### Suggested Solutions

Title # Comments Views Activity
Host Profile issue on Esxi 5.5 U3a 6 462
Reset local admin win7 pro 6 71
Nessus scan 5 194
Windows Master Password 11 47
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
This video discusses moving either the default database or any database to a new volume.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

#### 763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

#### Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!