win2k server : cannot delete empty folders created by the hackers

Posted on 2004-09-01
Last Modified: 2007-12-19

My ftp server was hacked and i cannot delete empty folders created by the hackers.

Here is the folder stucture, directories are emprty.

ftproot > (C1C3~1, find using dir /x) > (0303~1, find using dir /x)  > (0200~1, find using dir /x) > com9 > HeHeHe  > con > ScanneD > con > by > lpt3 > JDX > lpt1 > TaGGeD  > com3 > by > com7 > GloomyFigure > aux > (not named) >  with Neo1907´s PuB-tAgGeR > com9 > uPPed > com8 > BY > com7 > GloomyFigure > con

I've tried to find solution with the previous posts but anyone is working for me.

I cannot explore over "C:\Program Files\Ensim\Sitedata\indywood\InetPub\ftproot\C1C3~1\0303~1\0200~1":

C:\Program Files\Ensim\Sitedata\indywood\InetPub\ftproot\C1C3~1\0303~1\0200~1>cd
The system cannot find the path specified.

Also i tried to delete them using RD and RM commands but anyone was working.

C:\Program Files\Ensim\Sitedata\indywood\InetPub\ftproot\C1C3~1\0303~1>rd /s 020
0200~1, Are you sure (Y/N)? y
on - The system cannot find the file specified.
D~1\com7\GLOOMY~1\aux\0200~1\WITHNE~1\com9\UPPED~1\com8\BY6C08~1\com7 - The syst
em cannot find the file specified.
D~1\com7\GLOOMY~1\aux\0200~1\WITHNE~1\com9\UPPED~1\com8 - The system cannot find
 the file specified.
D~1\com7\GLOOMY~1\aux\0200~1\WITHNE~1\com9 - The system cannot find the file spe
D~1\com7\GLOOMY~1\aux - The directory name is invalid.
D~1\com7 - The system cannot find the file specified.
0200~1\com9\HEHEHE~1\con\SCANNE~1\con\BYC31D~1\lpt3\JDX\lpt1\TAGGED~1\com3 - The
 system cannot find the file specified.
0200~1\com9\HEHEHE~1\con\SCANNE~1\con\BYC31D~1\lpt3\JDX\lpt1 - The system cannot
 find the file specified.
0200~1\com9\HEHEHE~1\con\SCANNE~1\con\BYC31D~1\lpt3 - The system cannot find the
 file specified.
0200~1\com9\HEHEHE~1\con\SCANNE~1\con - The system cannot find the file specifie
0200~1\com9\HEHEHE~1\con - The system cannot find the file specified.
0200~1\com9 - The system cannot find the file specified.
The process cannot access the file because it is being used by another process.

Thank You,
Question by:donjoan
  • 5
  • 4

Expert Comment

ID: 11950387
A few suggestions:

Perhaps you:

A. Are typing the wrong command
B. do not have permission to view/modify files
C. the data could be streamed covertly.

Forgive me if it's a little simple, but I don't know yr skill level. Make sure you read all the way through it before trying any of this. You may not have to go this drastic and it may spark an idea.

1. Ensure you have Administrator access and that there are no additional users with this access (they may have further exploited the machine and created user accounts).

2. Ensure you can see all files through explorer (including hidden and system)

3. Disconnect from the internet, reboot into safe mode and ensure the FTP service is stopped.

4. Copy any data you require from the FTP root sideways into a backup directory (anywhere but within you FTP Root directory! :)

5. Try to delete through DOS. - RM and RD won't work as far as I know as they are Unix commands. Try "DELTREE foldere_name"

WARNING:This will delete all files and folders so BE CAREFUL!!!!

6. Install a firewall and if you must use FTP, ensure both it and windows have been locked down and patched.

7. If all else fails, delete the whole FTP root directory and restore from backup in Step 4

Hope this helps.

5. Open up DOS, get into your FTP root directory ( c:\Program Files\Ensim\Sitedata\indywood\InetPub\ftproot )
6. Type: DELTREE folder_name
7. Hit <Enter>

Author Comment

ID: 11950586

I cannot disconnect from the internet to access the system thourgh DOS because we're using hosting service, it's a dedicated server i have Administrator access.

Thank You

Expert Comment

ID: 11951464
how are you accessing the remote system??
and what are the different ways you have available to acces the system.

also you say you have admin rights on the machine,  can you start and stop services?

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud


Author Comment

ID: 11951848

I can only access the server from "Terminal Services" and "FTP", yes i can start and stop services.


Expert Comment

ID: 11952169
in that case,  

I bet there are special characters that are valid for unix/mac but not windows that is making the delete fail.  I have a mixed environment and sometimes have to deal with renaming files on the server  from one machine (unix/mac) so I can use them on another (pc)...  darn trailing periods...  anyway..  

you'll need to kick off all other ftp connections. (to hopefully get rid of files in use..) you might want to temporarily disable logins for all users  but yours.
or disable anonymous..  I don't know how your configured. or limit connections..  you get the drift.

I would use your ftpclinet dujour  and log in with privilege to the ftp server.
change the permissions so you can have full control over the files and folders that you wan to delete
and blow them away with the ftp client.

give it a try , and let us know how it goes.

Author Comment

ID: 11953459
I've tried as you've suggested using wsftp and FalshFXP but i cannot delete it (error message:  folder is not empty)

Expert Comment

ID: 11953590

try using filezilla.
I just tried this with my own ftp server and when I deleted a directory with something in it,
filezilla was happy to decend into the dirs and blow away files.

you can get it here.

I just want to rule out file system damage...  (ie. the os thinks there are files there, but not really.. )


Author Comment

ID: 11954216
I've tried with Filezinna, same things happening:

Status:      Retrieving directory listing...
Command:      CWD /InetPub/
Response:      250 CWD command successful.
Command:      PWD
Response:      257 "/InetPub" is current directory.
Status:      Directory listing successful
Command:      RMD /InetPub/2300
Response:      550 /InetPub/2300: The directory is not empty.

Thank You

Accepted Solution

tanelorn earned 500 total points
ID: 11954361
in filezilla while you are connected,
click on view, and then click on "show hidden files"

and see if there is anything there...

I'm running out of ideas...


Author Comment

ID: 11957131

I've tried but it didn't show any file and i've temp. fixed this problem by renaming the parent folder using ftp client and create a new site (new ftproot folder), the site is working now.

Thank you for your help!


Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Server 2008 Server 2003 Server 2000 12 644
Sapphire RAGE 128 Pro 32M - Windows 2000 Driver 2 930
Screen Mirroring 7 77
Windows 2000 48-bit LBA 13 34
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question