COM1 Foler HACKER!!!

Posted on 2003-11-03
Last Modified: 2013-12-04
SORRY, I Only have 150 points...I still really need some assistance

I have a slightly different twist.  When i try to delete the COM1 dir, I get:

 Directory of C:\Inetpub\ftproot

11/03/2003  08:29p      <DIR>          .
11/03/2003  08:29p      <DIR>          ..
11/03/2003  04:10p      <DIR>          COM1
11/09/2000  11:23p              24,576 ForceDel.exe
11/03/2003  08:29p      <DIR>          NtSystemInfo
11/03/2003  08:20p                  56 trash.bat
11/03/2003  08:20p                  87 trash2.bat
               3 File(s)         24,719 bytes
               4 Dir(s)     810,123,264 bytes free

C:\Inetpub\ftproot>del com1
The filename, directory name, or volume label syntax is incorrect.

For a little more detail, read on:

I know very little about hacking or the like. I have a problem I hope someone can help me with.

My FTP server is getting modified by someone or something. I am running IIS on win2k server. I have NAV Corporate Edition 2.7. I have a hardware-based firewall with ports open for FTP, SMTP, POP, HTTP and Terminal Services. I also have Exchange Server running.

Basically, my FTP site in IIS either has its Home Directory changed to some odd path pointing to a COM1 directory-This directory cannot be deleted. Sometimes the FTP server is stoppped and a version of serv-u is started on its port of 21. One time, my FTP server had its port changed to 51 and the serv-u took port 21.

I have tried POSIX - keeps telling me that the process cannot start and FPORT which has been useful to track serv-u.

I don't know what else to do. Everytime I seem to clear it up, it comes back.
David H. Little
Chief Technology Officer
RXI Software
Question by:rxiuser
  • 3
  • 2

Expert Comment

ID: 9675760

Accepted Solution

juliancrawford earned 75 total points
ID: 9675803
I also found this article by Microsoft which relates to your issue ..;en-us;120716

How to Remove Files with Reserved Names in Windows

Applies To
This article was previously published under Q120716
Because programs control the policy for creating files in Windows, files sometimes are created by using names that are not valid or reserved names, such as LPT1 or PRN. This article describes how to delete such files by using the standard user interface.
NOTE: You must be logged on locally to the Windows computer to delete these files.

If the file was created on a file allocation table (FAT) partition, you may be able to delete it under MS-DOS by using standard command line utilities (such as DEL) with wildcard(s). For example:

These commands do not work on an NTFS file system partition as NTFS supports the POSIX subsystem and filenames such as PRN are valid under this subsystem. However, the operating system assumes the program that created them can also delete them; therefore, you can use commands native to the POSIX subsystem.

You can delete (unlink) these files using a simple, native POSIX program. For example, the Windows Resource Kit includes such a tool, Rm.exe.

NOTE: POSIX commands are case sensitive. Drives and folders are referenced differently than in MS-DOS. Windows 2000 and later POSIX commands must use the following usage syntax:
posix /c <path\command> [<args>] IE: posix /c c:\rm.exe -d AUX.

Usage assumes Rm.exe is either in the path, or the current folder:
rm -d //driveletter/path using forward slashes/filename

For example, to remove a file or folder named COM1 (located at C:\Program Files\Subdir in this example), type the following command:
rm -d "//C/Program Files/Subdir/COM1"

To remove a folder and all of the its contents (C:\Program Files\BadFolder in this example), type the following command:
rm -r "//C/Program Files/BadFolder"

Another option is to use a syntax that bypasses the typical reserve-word checks completely. For example, you can possibly delete any file with a command such as:
DEL \\.\driveletter:\path\filename

For example:
DEL \\.\c:\somedir\aux

If the name in the file system appears as a directory, use the following syntax.

For example, you can possibly delete any directory with a command such as:
RD \\.\<driveletter>:\<path>\<directory name>

For example:
RD \\.\c:\somedir\aux


RmDir \\.\<driveletter>:\<path>\<directory>

For example:
RmDir \\.\C:\YourFTP_ROOT's_PATH\COM1 /s /q

/s-This switch removes all directories and files in the specified directory and also the directory itself. This switch also removes a directory tree.

/q-This switch stands for Quiet mode. Do not ask if you can remove a directory tree that contains the /s switch.
LVL 24

Assisted Solution

SunBow earned 75 total points
ID: 9678509
This is a common problem, try to not feel too bad just yet.  I've seen several tricks such as above, and no sign of it working for asker.  So the cures may be version dependent.

What has happenend, is you have had the machine set up as a server to allow anyone in the entire world to have free access to your disk drive, whether setup programs were that explicit or not.  Using your freely offered service, some people have found your machine and taken advantage of your offer. This is very legal of course, because you were configured be so friendly and kind.

Who knows what all they have stored or run on your machine to give them even other rights?  They are minimally in a position to eat up your disk drive with files they may not even care about, and quite often they are large files. If you want to get back at somebody, contact law enforcement in your community. So far what you have said is not a crime. But it is done by those disposed to crimes, for example, in the programs dumped on your machine. If they are music files and you do not report it, the RIAA may sue you for $150K each one. They have a guiilty until proven innocent policy, and legal defense to their processes begin at $20K. A separate issue from your liability is that the (legal) intruders are likely to place illegal files on your machine, then come back to pick them up again later. Law enforcement is convicting them by the hundreds, you might want to help get a few more. Your machine, your life. Freedom is so simple, right?

If you just want your life back, I recommend reviewing proper security practices, and reinstall your system using better security. Yes. Completely format. How many other security infractions were there? Best I think to make a clean new start, and don't donate your machine, its cycles, or hard drive, to anonymous users to do with as they please because you trust them.

As you have probably figured out, their are multipl flaws in the MS OS, where files and directories can crop up that are all but impossible for a general user to create, change, delete, rename, etc.  Try to create one of them yourself. Doesn't work, does it.  In addition to those problems, the intruder can use non-displayable characters to increase the problem you have deleting them.  I recommend you not go to battle with them, trying to go toe for toe with these tricks of doings and undoings.  Recognize that some people won't tell you how this is accomplished, because the information can be used by other intruder wannabes who have not been convicted yet.

Answer 1: Format all, reInstall from scratch
Answer 2: Contact law enforcement at a high level
Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

LVL 24

Expert Comment

ID: 9679165
OTOH, Check this site out:

"In the November 2003 survey we received responses from 44,946,965 sites.

Apache has a significant percentage gain this month as, a leading domain registrar with a domain parking system serving responses for over one million domains eliminated its Windows front end, and reverted to Linux and Apache which it ran previously. Barely weeks ago its largest rival, Network Solutions made a similar switch from Microsoft-IIS back to SunOne, nee Netscape-Enterprise, for its own domain parking system.

During 2001 and the first half of 2002 several companies hosting very large numbers of hostnames including Webjump, Namezero, Homestead, and Network Solutions migrated to Microsoft-IIS. Subsequently these businesses have either failed, significantly changed their business model, or reverted to their previous platform, and Microsoft-IIS share is now in line with its long term pre-summer 2001 level of around 20%. "

Look at the graph. Look at the numbers:

                               Top Developers

Developer     October 2003 Percent   November 2003 Percent Change

Apache               28235972   64.61      30298060    67.41       2.80
Microsoft            10252227   23.46         9449180    21.02     -2.44
SunONE               1528090     3.50          1525202     3.39      -0.11
Zeus                      735179     1.68            743611     1.65      -0.03

Can you think of a reason for these proportions? If you could not before, can you come up with something now?  The top choice favored over 2 to 1 over a contender. Still.  Why not join the crowd.

Answer 3: Switch to Apache
LVL 24

Expert Comment

ID: 9679250
(or switch to Sun, et al.  From the above, about 80% avoid Microsoft IIS despite its inherent, um, ease of use, attention to security, and suite packaging and marketing.  In all, that is more like a 4-1 vote against the one with the bigger name, which should be considered as significant, despite MS quoting this website as supporting their claim of their company being #1 and over 50%. A claim some of us think is an exaggeration)

Expert Comment

ID: 9681379

on that note:
OS2 warp is incredibly solid and i have seen a total of 0 vulnerabilities in the OS over the past 5 years.

:) its what i use for my web server

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Reset local admin win7 pro 6 83
Vulnerability scanning tools! 5 114
Forensic audit of SBS 2008 3 76
How can we stop ransomware files from executing if it is downloaded?! 7 122
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
OfficeMate Freezes on login or does not load after login credentials are input.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Many functions in Excel can make decisions. The most simple of these is the IF function: it returns a value depending on whether a condition you describe is true or false. Once you get the hang of using the IF function, you will find it easier to us…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now