win2k server : cannot delete empty folders created by the hackers

Posted on 2004-09-01
Medium Priority
Last Modified: 2007-12-19

My ftp server was hacked and i cannot delete empty folders created by the hackers.

Here is the folder stucture, directories are emprty.

ftproot > (C1C3~1, find using dir /x) > (0303~1, find using dir /x)  > (0200~1, find using dir /x) > com9 > HeHeHe  > con > ScanneD > con > by > lpt3 > JDX > lpt1 > TaGGeD  > com3 > by > com7 > GloomyFigure > aux > (not named) >  with Neo1907´s PuB-tAgGeR > com9 > uPPed > com8 > BY > com7 > GloomyFigure > con

I've tried to find solution with the previous posts but anyone is working for me.

I cannot explore over "C:\Program Files\Ensim\Sitedata\indywood\InetPub\ftproot\C1C3~1\0303~1\0200~1":

C:\Program Files\Ensim\Sitedata\indywood\InetPub\ftproot\C1C3~1\0303~1\0200~1>cd
The system cannot find the path specified.

Also i tried to delete them using RD and RM commands but anyone was working.

C:\Program Files\Ensim\Sitedata\indywood\InetPub\ftproot\C1C3~1\0303~1>rd /s 020
0200~1, Are you sure (Y/N)? y
on - The system cannot find the file specified.
D~1\com7\GLOOMY~1\aux\0200~1\WITHNE~1\com9\UPPED~1\com8\BY6C08~1\com7 - The syst
em cannot find the file specified.
D~1\com7\GLOOMY~1\aux\0200~1\WITHNE~1\com9\UPPED~1\com8 - The system cannot find
 the file specified.
D~1\com7\GLOOMY~1\aux\0200~1\WITHNE~1\com9 - The system cannot find the file spe
D~1\com7\GLOOMY~1\aux - The directory name is invalid.
D~1\com7 - The system cannot find the file specified.
0200~1\com9\HEHEHE~1\con\SCANNE~1\con\BYC31D~1\lpt3\JDX\lpt1\TAGGED~1\com3 - The
 system cannot find the file specified.
0200~1\com9\HEHEHE~1\con\SCANNE~1\con\BYC31D~1\lpt3\JDX\lpt1 - The system cannot
 find the file specified.
0200~1\com9\HEHEHE~1\con\SCANNE~1\con\BYC31D~1\lpt3 - The system cannot find the
 file specified.
0200~1\com9\HEHEHE~1\con\SCANNE~1\con - The system cannot find the file specifie
0200~1\com9\HEHEHE~1\con - The system cannot find the file specified.
0200~1\com9 - The system cannot find the file specified.
The process cannot access the file because it is being used by another process.

Thank You,
Question by:donjoan
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4

Expert Comment

ID: 11950387
A few suggestions:

Perhaps you:

A. Are typing the wrong command
B. do not have permission to view/modify files
C. the data could be streamed covertly.

Forgive me if it's a little simple, but I don't know yr skill level. Make sure you read all the way through it before trying any of this. You may not have to go this drastic and it may spark an idea.

1. Ensure you have Administrator access and that there are no additional users with this access (they may have further exploited the machine and created user accounts).

2. Ensure you can see all files through explorer (including hidden and system)

3. Disconnect from the internet, reboot into safe mode and ensure the FTP service is stopped.

4. Copy any data you require from the FTP root sideways into a backup directory (anywhere but within you FTP Root directory! :)

5. Try to delete through DOS. - RM and RD won't work as far as I know as they are Unix commands. Try "DELTREE foldere_name"

WARNING:This will delete all files and folders so BE CAREFUL!!!!

6. Install a firewall and if you must use FTP, ensure both it and windows have been locked down and patched.

7. If all else fails, delete the whole FTP root directory and restore from backup in Step 4

Hope this helps.

5. Open up DOS, get into your FTP root directory ( c:\Program Files\Ensim\Sitedata\indywood\InetPub\ftproot )
6. Type: DELTREE folder_name
7. Hit <Enter>

Author Comment

ID: 11950586

I cannot disconnect from the internet to access the system thourgh DOS because we're using hosting service, it's a dedicated server i have Administrator access.

Thank You

Expert Comment

ID: 11951464
how are you accessing the remote system??
and what are the different ways you have available to acces the system.

also you say you have admin rights on the machine,  can you start and stop services?

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)


Author Comment

ID: 11951848

I can only access the server from "Terminal Services" and "FTP", yes i can start and stop services.


Expert Comment

ID: 11952169
in that case,  

I bet there are special characters that are valid for unix/mac but not windows that is making the delete fail.  I have a mixed environment and sometimes have to deal with renaming files on the server  from one machine (unix/mac) so I can use them on another (pc)...  darn trailing periods...  anyway..  

you'll need to kick off all other ftp connections. (to hopefully get rid of files in use..) you might want to temporarily disable logins for all users  but yours.
or disable anonymous..  I don't know how your configured. or limit connections..  you get the drift.

I would use your ftpclinet dujour  and log in with privilege to the ftp server.
change the permissions so you can have full control over the files and folders that you wan to delete
and blow them away with the ftp client.

give it a try , and let us know how it goes.

Author Comment

ID: 11953459
I've tried as you've suggested using wsftp and FalshFXP but i cannot delete it (error message:  folder is not empty)

Expert Comment

ID: 11953590

try using filezilla.
I just tried this with my own ftp server and when I deleted a directory with something in it,
filezilla was happy to decend into the dirs and blow away files.

you can get it here.


I just want to rule out file system damage...  (ie. the os thinks there are files there, but not really.. )


Author Comment

ID: 11954216
I've tried with Filezinna, same things happening:

Status:      Retrieving directory listing...
Command:      CWD /InetPub/
Response:      250 CWD command successful.
Command:      PWD
Response:      257 "/InetPub" is current directory.
Status:      Directory listing successful
Command:      RMD /InetPub/2300
Response:      550 /InetPub/2300: The directory is not empty.

Thank You

Accepted Solution

tanelorn earned 2000 total points
ID: 11954361
in filezilla while you are connected,
click on view, and then click on "show hidden files"

and see if there is anything there...

I'm running out of ideas...


Author Comment

ID: 11957131

I've tried but it didn't show any file and i've temp. fixed this problem by renaming the parent folder using ftp client and create a new site (new ftproot folder), the site is working now.

Thank you for your help!


Featured Post

Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question