Solved

win2k server : cannot delete empty folders created by the hackers

Posted on 2004-09-01
10
242 Views
Last Modified: 2007-12-19
Hello

My ftp server was hacked and i cannot delete empty folders created by the hackers.

Here is the folder stucture, directories are emprty.

ftproot > (C1C3~1, find using dir /x) > (0303~1, find using dir /x)  > (0200~1, find using dir /x) > com9 > HeHeHe  > con > ScanneD > con > by > lpt3 > JDX > lpt1 > TaGGeD  > com3 > by > com7 > GloomyFigure > aux > (not named) >  with Neo1907´s PuB-tAgGeR > com9 > uPPed > com8 > BY > com7 > GloomyFigure > con

I've tried to find solution with the previous posts but anyone is working for me.

I cannot explore over "C:\Program Files\Ensim\Sitedata\indywood\InetPub\ftproot\C1C3~1\0303~1\0200~1":

**********************
C:\Program Files\Ensim\Sitedata\indywood\InetPub\ftproot\C1C3~1\0303~1\0200~1>cd
 com9
The system cannot find the path specified.
******************************

Also i tried to delete them using RD and RM commands but anyone was working.

********************************
C:\Program Files\Ensim\Sitedata\indywood\InetPub\ftproot\C1C3~1\0303~1>rd /s 020
0~1
0200~1, Are you sure (Y/N)? y
0200~1\com9\HEHEHE~1\con\SCANNE~1\con\BYC31D~1\lpt3\JDX\lpt1\TAGGED~1\com3\BYC31
D~1\com7\GLOOMY~1\aux\0200~1\WITHNE~1\com9\UPPED~1\com8\BY6C08~1\com7\GLOOMY~1\c
on - The system cannot find the file specified.
0200~1\com9\HEHEHE~1\con\SCANNE~1\con\BYC31D~1\lpt3\JDX\lpt1\TAGGED~1\com3\BYC31
D~1\com7\GLOOMY~1\aux\0200~1\WITHNE~1\com9\UPPED~1\com8\BY6C08~1\com7 - The syst
em cannot find the file specified.
0200~1\com9\HEHEHE~1\con\SCANNE~1\con\BYC31D~1\lpt3\JDX\lpt1\TAGGED~1\com3\BYC31
D~1\com7\GLOOMY~1\aux\0200~1\WITHNE~1\com9\UPPED~1\com8 - The system cannot find
 the file specified.
0200~1\com9\HEHEHE~1\con\SCANNE~1\con\BYC31D~1\lpt3\JDX\lpt1\TAGGED~1\com3\BYC31
D~1\com7\GLOOMY~1\aux\0200~1\WITHNE~1\com9 - The system cannot find the file spe
cified.
0200~1\com9\HEHEHE~1\con\SCANNE~1\con\BYC31D~1\lpt3\JDX\lpt1\TAGGED~1\com3\BYC31
D~1\com7\GLOOMY~1\aux - The directory name is invalid.
0200~1\com9\HEHEHE~1\con\SCANNE~1\con\BYC31D~1\lpt3\JDX\lpt1\TAGGED~1\com3\BYC31
D~1\com7 - The system cannot find the file specified.
0200~1\com9\HEHEHE~1\con\SCANNE~1\con\BYC31D~1\lpt3\JDX\lpt1\TAGGED~1\com3 - The
 system cannot find the file specified.
0200~1\com9\HEHEHE~1\con\SCANNE~1\con\BYC31D~1\lpt3\JDX\lpt1 - The system cannot
 find the file specified.
0200~1\com9\HEHEHE~1\con\SCANNE~1\con\BYC31D~1\lpt3 - The system cannot find the
 file specified.
0200~1\com9\HEHEHE~1\con\SCANNE~1\con - The system cannot find the file specifie
d.
0200~1\com9\HEHEHE~1\con - The system cannot find the file specified.
0200~1\com9 - The system cannot find the file specified.
The process cannot access the file because it is being used by another process.
**************************************************

Thank You,
DonJoan
0
Comment
Question by:donjoan
  • 5
  • 4
10 Comments
 
LVL 2

Expert Comment

by:mellowmarquis
ID: 11950387
A few suggestions:

Perhaps you:

A. Are typing the wrong command
B. do not have permission to view/modify files
C. the data could be streamed covertly.

Forgive me if it's a little simple, but I don't know yr skill level. Make sure you read all the way through it before trying any of this. You may not have to go this drastic and it may spark an idea.

1. Ensure you have Administrator access and that there are no additional users with this access (they may have further exploited the machine and created user accounts).

2. Ensure you can see all files through explorer (including hidden and system)

3. Disconnect from the internet, reboot into safe mode and ensure the FTP service is stopped.

4. Copy any data you require from the FTP root sideways into a backup directory (anywhere but within you FTP Root directory! :)

5. Try to delete through DOS. - RM and RD won't work as far as I know as they are Unix commands. Try "DELTREE foldere_name"

WARNING:This will delete all files and folders so BE CAREFUL!!!!

6. Install a firewall and if you must use FTP, ensure both it and windows have been locked down and patched.

7. If all else fails, delete the whole FTP root directory and restore from backup in Step 4

Hope this helps.











5. Open up DOS, get into your FTP root directory ( c:\Program Files\Ensim\Sitedata\indywood\InetPub\ftproot )
6. Type: DELTREE folder_name
7. Hit <Enter>
0
 

Author Comment

by:donjoan
ID: 11950586
Hi

I cannot disconnect from the internet to access the system thourgh DOS because we're using hosting service, it's a dedicated server i have Administrator access.

Thank You
0
 
LVL 6

Expert Comment

by:tanelorn
ID: 11951464
how are you accessing the remote system??
and what are the different ways you have available to acces the system.

also you say you have admin rights on the machine,  can you start and stop services?

Tanelorn
0
 

Author Comment

by:donjoan
ID: 11951848
Hi

I can only access the server from "Terminal Services" and "FTP", yes i can start and stop services.

DonJoan
0
 
LVL 6

Expert Comment

by:tanelorn
ID: 11952169
in that case,  

I bet there are special characters that are valid for unix/mac but not windows that is making the delete fail.  I have a mixed environment and sometimes have to deal with renaming files on the server  from one machine (unix/mac) so I can use them on another (pc)...  darn trailing periods...  anyway..  

you'll need to kick off all other ftp connections. (to hopefully get rid of files in use..) you might want to temporarily disable logins for all users  but yours.
or disable anonymous..  I don't know how your configured. or limit connections..  you get the drift.

I would use your ftpclinet dujour  and log in with privilege to the ftp server.
change the permissions so you can have full control over the files and folders that you wan to delete
and blow them away with the ftp client.

give it a try , and let us know how it goes.
Tanelorn
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:donjoan
ID: 11953459
I've tried as you've suggested using wsftp and FalshFXP but i cannot delete it (error message:  folder is not empty)
0
 
LVL 6

Expert Comment

by:tanelorn
ID: 11953590
Hi,

try using filezilla.
I just tried this with my own ftp server and when I deleted a directory with something in it,
filezilla was happy to decend into the dirs and blow away files.

you can get it here.

http://optusnet.dl.sourceforge.net/sourceforge/filezilla/FileZilla_2_2_8b_setup.exe

I just want to rule out file system damage...  (ie. the os thinks there are files there, but not really.. )

Tanelorn
0
 

Author Comment

by:donjoan
ID: 11954216
I've tried with Filezinna, same things happening:

Status:      Retrieving directory listing...
Command:      CWD /InetPub/
Response:      250 CWD command successful.
Command:      PWD
Response:      257 "/InetPub" is current directory.
Status:      Directory listing successful
Command:      RMD /InetPub/2300
Response:      550 /InetPub/2300: The directory is not empty.

Thank You
Donjoan
0
 
LVL 6

Accepted Solution

by:
tanelorn earned 500 total points
ID: 11954361
in filezilla while you are connected,
click on view, and then click on "show hidden files"

and see if there is anything there...

I'm running out of ideas...

Tanelorn
0
 

Author Comment

by:donjoan
ID: 11957131
Hi

I've tried but it didn't show any file and i've temp. fixed this problem by renaming the parent folder using ftp client and create a new site (new ftproot folder), the site is working now.

Thank you for your help!

DonJoan
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Get to know the ins and outs of building a web-based ERP system for your enterprise. Development timeline, technology, and costs outlined.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now