Solved

win2k server : cannot delete empty folders created by the hackers

Posted on 2004-09-01
10
264 Views
Last Modified: 2007-12-19
Hello

My ftp server was hacked and i cannot delete empty folders created by the hackers.

Here is the folder stucture, directories are emprty.

ftproot > (C1C3~1, find using dir /x) > (0303~1, find using dir /x)  > (0200~1, find using dir /x) > com9 > HeHeHe  > con > ScanneD > con > by > lpt3 > JDX > lpt1 > TaGGeD  > com3 > by > com7 > GloomyFigure > aux > (not named) >  with Neo1907´s PuB-tAgGeR > com9 > uPPed > com8 > BY > com7 > GloomyFigure > con

I've tried to find solution with the previous posts but anyone is working for me.

I cannot explore over "C:\Program Files\Ensim\Sitedata\indywood\InetPub\ftproot\C1C3~1\0303~1\0200~1":

**********************
C:\Program Files\Ensim\Sitedata\indywood\InetPub\ftproot\C1C3~1\0303~1\0200~1>cd
 com9
The system cannot find the path specified.
******************************

Also i tried to delete them using RD and RM commands but anyone was working.

********************************
C:\Program Files\Ensim\Sitedata\indywood\InetPub\ftproot\C1C3~1\0303~1>rd /s 020
0~1
0200~1, Are you sure (Y/N)? y
0200~1\com9\HEHEHE~1\con\SCANNE~1\con\BYC31D~1\lpt3\JDX\lpt1\TAGGED~1\com3\BYC31
D~1\com7\GLOOMY~1\aux\0200~1\WITHNE~1\com9\UPPED~1\com8\BY6C08~1\com7\GLOOMY~1\c
on - The system cannot find the file specified.
0200~1\com9\HEHEHE~1\con\SCANNE~1\con\BYC31D~1\lpt3\JDX\lpt1\TAGGED~1\com3\BYC31
D~1\com7\GLOOMY~1\aux\0200~1\WITHNE~1\com9\UPPED~1\com8\BY6C08~1\com7 - The syst
em cannot find the file specified.
0200~1\com9\HEHEHE~1\con\SCANNE~1\con\BYC31D~1\lpt3\JDX\lpt1\TAGGED~1\com3\BYC31
D~1\com7\GLOOMY~1\aux\0200~1\WITHNE~1\com9\UPPED~1\com8 - The system cannot find
 the file specified.
0200~1\com9\HEHEHE~1\con\SCANNE~1\con\BYC31D~1\lpt3\JDX\lpt1\TAGGED~1\com3\BYC31
D~1\com7\GLOOMY~1\aux\0200~1\WITHNE~1\com9 - The system cannot find the file spe
cified.
0200~1\com9\HEHEHE~1\con\SCANNE~1\con\BYC31D~1\lpt3\JDX\lpt1\TAGGED~1\com3\BYC31
D~1\com7\GLOOMY~1\aux - The directory name is invalid.
0200~1\com9\HEHEHE~1\con\SCANNE~1\con\BYC31D~1\lpt3\JDX\lpt1\TAGGED~1\com3\BYC31
D~1\com7 - The system cannot find the file specified.
0200~1\com9\HEHEHE~1\con\SCANNE~1\con\BYC31D~1\lpt3\JDX\lpt1\TAGGED~1\com3 - The
 system cannot find the file specified.
0200~1\com9\HEHEHE~1\con\SCANNE~1\con\BYC31D~1\lpt3\JDX\lpt1 - The system cannot
 find the file specified.
0200~1\com9\HEHEHE~1\con\SCANNE~1\con\BYC31D~1\lpt3 - The system cannot find the
 file specified.
0200~1\com9\HEHEHE~1\con\SCANNE~1\con - The system cannot find the file specifie
d.
0200~1\com9\HEHEHE~1\con - The system cannot find the file specified.
0200~1\com9 - The system cannot find the file specified.
The process cannot access the file because it is being used by another process.
**************************************************

Thank You,
DonJoan
0
Comment
Question by:donjoan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 2

Expert Comment

by:mellowmarquis
ID: 11950387
A few suggestions:

Perhaps you:

A. Are typing the wrong command
B. do not have permission to view/modify files
C. the data could be streamed covertly.

Forgive me if it's a little simple, but I don't know yr skill level. Make sure you read all the way through it before trying any of this. You may not have to go this drastic and it may spark an idea.

1. Ensure you have Administrator access and that there are no additional users with this access (they may have further exploited the machine and created user accounts).

2. Ensure you can see all files through explorer (including hidden and system)

3. Disconnect from the internet, reboot into safe mode and ensure the FTP service is stopped.

4. Copy any data you require from the FTP root sideways into a backup directory (anywhere but within you FTP Root directory! :)

5. Try to delete through DOS. - RM and RD won't work as far as I know as they are Unix commands. Try "DELTREE foldere_name"

WARNING:This will delete all files and folders so BE CAREFUL!!!!

6. Install a firewall and if you must use FTP, ensure both it and windows have been locked down and patched.

7. If all else fails, delete the whole FTP root directory and restore from backup in Step 4

Hope this helps.











5. Open up DOS, get into your FTP root directory ( c:\Program Files\Ensim\Sitedata\indywood\InetPub\ftproot )
6. Type: DELTREE folder_name
7. Hit <Enter>
0
 

Author Comment

by:donjoan
ID: 11950586
Hi

I cannot disconnect from the internet to access the system thourgh DOS because we're using hosting service, it's a dedicated server i have Administrator access.

Thank You
0
 
LVL 6

Expert Comment

by:tanelorn
ID: 11951464
how are you accessing the remote system??
and what are the different ways you have available to acces the system.

also you say you have admin rights on the machine,  can you start and stop services?

Tanelorn
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:donjoan
ID: 11951848
Hi

I can only access the server from "Terminal Services" and "FTP", yes i can start and stop services.

DonJoan
0
 
LVL 6

Expert Comment

by:tanelorn
ID: 11952169
in that case,  

I bet there are special characters that are valid for unix/mac but not windows that is making the delete fail.  I have a mixed environment and sometimes have to deal with renaming files on the server  from one machine (unix/mac) so I can use them on another (pc)...  darn trailing periods...  anyway..  

you'll need to kick off all other ftp connections. (to hopefully get rid of files in use..) you might want to temporarily disable logins for all users  but yours.
or disable anonymous..  I don't know how your configured. or limit connections..  you get the drift.

I would use your ftpclinet dujour  and log in with privilege to the ftp server.
change the permissions so you can have full control over the files and folders that you wan to delete
and blow them away with the ftp client.

give it a try , and let us know how it goes.
Tanelorn
0
 

Author Comment

by:donjoan
ID: 11953459
I've tried as you've suggested using wsftp and FalshFXP but i cannot delete it (error message:  folder is not empty)
0
 
LVL 6

Expert Comment

by:tanelorn
ID: 11953590
Hi,

try using filezilla.
I just tried this with my own ftp server and when I deleted a directory with something in it,
filezilla was happy to decend into the dirs and blow away files.

you can get it here.

http://optusnet.dl.sourceforge.net/sourceforge/filezilla/FileZilla_2_2_8b_setup.exe

I just want to rule out file system damage...  (ie. the os thinks there are files there, but not really.. )

Tanelorn
0
 

Author Comment

by:donjoan
ID: 11954216
I've tried with Filezinna, same things happening:

Status:      Retrieving directory listing...
Command:      CWD /InetPub/
Response:      250 CWD command successful.
Command:      PWD
Response:      257 "/InetPub" is current directory.
Status:      Directory listing successful
Command:      RMD /InetPub/2300
Response:      550 /InetPub/2300: The directory is not empty.

Thank You
Donjoan
0
 
LVL 6

Accepted Solution

by:
tanelorn earned 500 total points
ID: 11954361
in filezilla while you are connected,
click on view, and then click on "show hidden files"

and see if there is anything there...

I'm running out of ideas...

Tanelorn
0
 

Author Comment

by:donjoan
ID: 11957131
Hi

I've tried but it didn't show any file and i've temp. fixed this problem by renaming the parent folder using ftp client and create a new site (new ftproot folder), the site is working now.

Thank you for your help!

DonJoan
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
win2k service packs 5 668
Windows task manager not executing scheduled task correctly? 6 160
P2V Windows Server 2000 - Network Issue 14 65
Windows 2000 48-bit LBA 13 78
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article describes how to import an Outlook PST file to Office 365 using a third party product to avoid Microsoft's Azure command line tool, saving you time.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question