Solved

How do you delete a hacked directory that is hidden in Explorer but viewable in the Command prompt because it is not empty?

Posted on 2006-11-13
15
381 Views
Last Modified: 2010-04-03
I have a folder in windows 2003 that is only visible from the command prompt and cannot be seen in Windows Explorer.  I cannot delete the folder using every avenue I have looked at.  Each time, I try I get, the directory is not empty.  The directory is completely hidden in Explorer and the only reason I know its there in the command prompt is because I'm tracking attempts to load viruses into that directory from the event view and Symantec AntiVirus.  I have tried KB 120716, http://support.microsoft.com/kb/120716/EN-US/.  Have also tried to download RM and RMD.exe but they do not seem to be compatiable with Windows 2K3.  None of these attempts have worked.  If you attempt to create a directory with the same name even in explorer, it says the directory already exists eventhough you cannot actually see it.  How do I delete this folder or make it visible such that GUI tools to manage this file become active?
0
Comment
Question by:comcityllc
15 Comments
 
LVL 9

Expert Comment

by:JamesTX10
ID: 17931521
Hi comcityllc,
Have you tried safe mode?

JamesTX10
0
 

Author Comment

by:comcityllc
ID: 17931621
Can't go into Safe Mode because this is a remote server.  My guess is there is a file in the directory neither I nor the Operating system can see because of Alt-characters.  Either that or there is some other way or attibute you can set to a directory that makes act like this.  I don't believe I would be able to see the file in Safe Mode either.   Safe Mode typically only disables the loading of services that might lock the file or folder.   No files are "locked"....they just are not visible.
0
 
LVL 14

Expert Comment

by:yessirnosir
ID: 17931851
Try using a Windows Explorer alternative that will make those hidden characters visible -- I think http://zabkat.com/x2lite.htm may do it, although I don't have a handy file to test it on right now.  But I had a similar problem a while back and I was able to rename the folder to normal characters using an alternative file manager (might have been the A43 tool in BartPE... can't remember... sorry!).  Then I still couldn't delete it because of a permission issue (nasty virus writers!) but I could then take ownership in Windows and finally got rid of it.
0
 
LVL 18

Expert Comment

by:simsjrg
ID: 17931972
0
 
LVL 4

Expert Comment

by:Smacky311
ID: 17932249
There are a few things you could try.

1.  Start - run - type cmd and hit ok - change the directory to the one before the hidden one (if its C:\windows\system32\thisone then go to C:\windows\system32) - then type in "attrib -r -a -s -h thisone" (without the quotes, and "thisone" should be the name of the file you have trouble with) to remove extra permissions from the drive.  Then type "del thisone" (no quotes) to delete the directory
AND
2.  Open my computer - tools - folder options - View tab - Under Hidden files and folders ensure Show hidden files and folders is selected - hit ok to save changes.  See if you can see it now.  Then delete.
AND
3.  Try http://www.killbox.net
0
 

Author Comment

by:comcityllc
ID: 17932349
Ok, I'm an experienced admin....so I've done all the easy stuff already. I've run Attrib -A -S -H -R over a thousand times now.  Ok, I've already used "takeowner" and thats how I was able to delete the files and folder that were in the folder originally.

My explorer's hidden files and OS files properties are set.

I've also tried "unlocker -h" as well as SubInACL.

I've looked at KB after KB...and article after article on this.  I don't understand how hackers can do this but we can't fix it.  Seems like a hole in the OS big enough to drive a truck through, park it and then blow it up.

I'll try the alternative Explorer and Killbox...
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:comcityllc
ID: 17932431
Ok, the directory is not visible in xplorer lite...and there are no processes running in this folder so there are no processes to kill.  The problem is not the directory is locked due to running processes.  The problem to hide a file (other than attrib) inside an already hidden folder (hidden some other way than attrib).  Or the folder is "malformed" in some way that only part of the OS recognizes it.

I have already tried rmdir \\?\c:\windows\hacker_folder, del, erase everything using this command structure including quotes rmdir "\\?\c:\windows\hacker_folder" and rmdir \\?\"c:\windows\hacker_folder"
0
 

Author Comment

by:comcityllc
ID: 17934915
Ok....
I just shared my c:\windows and using my remote personal computer I mapped to this share, now I can see files in this directory on my remote computer.  Very bizarre...I can see two files there I was not able to see on the computer.  However, I cannot delete the files for some reason.  In addition, I found a .ini file that is basically the hackers "cheat sheet" in text format which shows what they have done.  It looks like a "root type exploit".  But with the cheat sheat, I know what to back out....just don't know how to accomplish it.  Its like the hacker has better tools than me.

So...anybody know how I can proceed given now I know the files in the directory that are somehow "completely hidden" by the native OS but can seen with XP.  I found other hidden directories that I didn't even now where there, that I was able to delete based upon the cheat sheet.
0
 
LVL 30

Accepted Solution

by:
pgm554 earned 500 total points
ID: 17935248
Well,if there are files that are hidden,I would run Rootkitrevealer from Sysinternals to get a better idea of what is out there.


http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx

Files that are loaded up during a boot can be locked open and cannot be deleted.

If that is the case ,you will have no choice but to boot into safe mode to a command prompt.

I would then create a .bat file that would remove the hidden stuff and have a user run it .

How did somebody get elevated priveleges to install a rootkit on a 2003 server?

What does this server do?

Server 2003 is pretty locked down right out of the box,so somebody has misconfigured or missed something that allowed for an attack like this to happen.
0
 

Author Comment

by:comcityllc
ID: 17935470
If you get access to a machine, it still runs as the logged in user, typically adminstrator.  The problem is not running services.  The problem is that I can go to File manager turn off a folders "read-only" attribute and apply it to the folders and when I come back, its right back at read-only.  Its like Attributes are not working.

I'm trying to download a new antivirus program called F-secure...but everytime I download the file it immediately is hidden within any particular folder.  The only way I can see is with a file explorer of a different computer.
0
 

Author Comment

by:comcityllc
ID: 17935689
Ok yes it appears I was rootkit'd with backdoor.hackdefender.  I loaded up a beta program called F-Secure...incredible is what that program is.  It was able to unhide and rename all the files and there off now.  There was also a bunch of warez stuff it found and deleted as well.  It was like magically.  However, I had to track the os to load the F-Secure software.  It appears the hackers must have already heard about F-Secure because they had a copy of F-Secure already loaded onto the server as a "hidden" file.  So thats why I could not load it and it immediately became hidden.  I had to rename the F-secure executable something else like somefile.exe and then zip that up in a file called somefile.zip on a separate computer and transport it on to the server.  

I have a cheat sheet of other stuff that was done because it was all in an ini file that I looked at previously.  It doesn't look like the Fsecure found the other stuff...probably because the other stuff is not hidden but distinquised as other "normal" files.
0
 
LVL 30

Expert Comment

by:pgm554
ID: 17936005
The question is,how did they get access?

You can try to fix what is broken now,but how did they get in?

As for decent virus/malware scan,try Trend Micro House Call.

Works completly through a web browser.
No exe needed.
0
 

Author Comment

by:comcityllc
ID: 17936053
I don't know....
SQL server was at KB1, there is a KB4 now...so I uploaded that.  It doesn't automatically "update" like most of the other programs.  Theres now a couple of ways to get in that way.

I'm concerned that there are a bunch of anonymous logins in the event viewer that are being accepted but from what I have read this is ok.  These are about the time of the exploit which occurred on 11/16 at roughly 10:30 am.

Successful Network Logon:
       User Name:      
       Domain:            
       Logon ID:            (0x0,0x641C85F)
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      CLOUD
       Logon GUID:      -
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:      70.17.43.139
       Source Port:      0

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

And this one around the same time but a different type.

Logon attempt using explicit credentials:
 Logged on user:
       User Name:      NETWORK SERVICE
       Domain:            NT AUTHORITY
       Logon ID:            (0x0,0x3E4)
       Logon GUID:      -
 User whose credentials were used:
       Target User Name:      IUSR_COMPUTERNAME
       Target Domain:      THESERVERNAME
       Target Logon GUID: -

 Target Server Name:      localhost
 Target Server Info:      localhost
 Caller Process ID:      3936
 Source Network Address:      -
 Source Port:      -


For more information, see Help and Support Center at
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Solid State Drive Performance Tips: Solid state storage technology is now a standard.  After testing and using several different brands and revisions of SSD's over the years I have put together a collection of tips,tools and suggestions that I ha…
I previously wrote an article addressing the use of UBCD4WIN and SARDU. All are great, but I have always been an advocate of SARDU. Recently it was suggested that I go back and take a look at Easy2Boot in comparison.
This video teaches viewers how to encrypt an external drive that requires a password to read and edit the drive. All tasks are done in Disk Utility. Plug in the external drive you wish to encrypt: Make sure all previous data on the drive has been …
This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting. This w…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now