comcityllc
asked on
How do you delete a hacked directory that is hidden in Explorer but viewable in the Command prompt because it is not empty?
I have a folder in windows 2003 that is only visible from the command prompt and cannot be seen in Windows Explorer. I cannot delete the folder using every avenue I have looked at. Each time, I try I get, the directory is not empty. The directory is completely hidden in Explorer and the only reason I know its there in the command prompt is because I'm tracking attempts to load viruses into that directory from the event view and Symantec AntiVirus. I have tried KB 120716, http://support.microsoft.com/kb/120716/EN-US/. Have also tried to download RM and RMD.exe but they do not seem to be compatiable with Windows 2K3. None of these attempts have worked. If you attempt to create a directory with the same name even in explorer, it says the directory already exists eventhough you cannot actually see it. How do I delete this folder or make it visible such that GUI tools to manage this file become active?
ASKER
Can't go into Safe Mode because this is a remote server. My guess is there is a file in the directory neither I nor the Operating system can see because of Alt-characters. Either that or there is some other way or attibute you can set to a directory that makes act like this. I don't believe I would be able to see the file in Safe Mode either. Safe Mode typically only disables the loading of services that might lock the file or folder. No files are "locked"....they just are not visible.
Try using a Windows Explorer alternative that will make those hidden characters visible -- I think http://zabkat.com/x2lite.htm may do it, although I don't have a handy file to test it on right now. But I had a similar problem a while back and I was able to rename the folder to normal characters using an alternative file manager (might have been the A43 tool in BartPE... can't remember... sorry!). Then I still couldn't delete it because of a permission issue (nasty virus writers!) but I could then take ownership in Windows and finally got rid of it.
There are a few things you could try.
1. Start - run - type cmd and hit ok - change the directory to the one before the hidden one (if its C:\windows\system32\thison e then go to C:\windows\system32) - then type in "attrib -r -a -s -h thisone" (without the quotes, and "thisone" should be the name of the file you have trouble with) to remove extra permissions from the drive. Then type "del thisone" (no quotes) to delete the directory
AND
2. Open my computer - tools - folder options - View tab - Under Hidden files and folders ensure Show hidden files and folders is selected - hit ok to save changes. See if you can see it now. Then delete.
AND
3. Try http://www.killbox.net
1. Start - run - type cmd and hit ok - change the directory to the one before the hidden one (if its C:\windows\system32\thison
AND
2. Open my computer - tools - folder options - View tab - Under Hidden files and folders ensure Show hidden files and folders is selected - hit ok to save changes. See if you can see it now. Then delete.
AND
3. Try http://www.killbox.net
ASKER
Ok, I'm an experienced admin....so I've done all the easy stuff already. I've run Attrib -A -S -H -R over a thousand times now. Ok, I've already used "takeowner" and thats how I was able to delete the files and folder that were in the folder originally.
My explorer's hidden files and OS files properties are set.
I've also tried "unlocker -h" as well as SubInACL.
I've looked at KB after KB...and article after article on this. I don't understand how hackers can do this but we can't fix it. Seems like a hole in the OS big enough to drive a truck through, park it and then blow it up.
I'll try the alternative Explorer and Killbox...
My explorer's hidden files and OS files properties are set.
I've also tried "unlocker -h" as well as SubInACL.
I've looked at KB after KB...and article after article on this. I don't understand how hackers can do this but we can't fix it. Seems like a hole in the OS big enough to drive a truck through, park it and then blow it up.
I'll try the alternative Explorer and Killbox...
ASKER
Ok, the directory is not visible in xplorer lite...and there are no processes running in this folder so there are no processes to kill. The problem is not the directory is locked due to running processes. The problem to hide a file (other than attrib) inside an already hidden folder (hidden some other way than attrib). Or the folder is "malformed" in some way that only part of the OS recognizes it.
I have already tried rmdir \\?\c:\windows\hacker_fold er, del, erase everything using this command structure including quotes rmdir "\\?\c:\windows\hacker_fol der" and rmdir \\?\"c:\windows\hacker_fol der"
I have already tried rmdir \\?\c:\windows\hacker_fold
ASKER
Ok....
I just shared my c:\windows and using my remote personal computer I mapped to this share, now I can see files in this directory on my remote computer. Very bizarre...I can see two files there I was not able to see on the computer. However, I cannot delete the files for some reason. In addition, I found a .ini file that is basically the hackers "cheat sheet" in text format which shows what they have done. It looks like a "root type exploit". But with the cheat sheat, I know what to back out....just don't know how to accomplish it. Its like the hacker has better tools than me.
So...anybody know how I can proceed given now I know the files in the directory that are somehow "completely hidden" by the native OS but can seen with XP. I found other hidden directories that I didn't even now where there, that I was able to delete based upon the cheat sheet.
I just shared my c:\windows and using my remote personal computer I mapped to this share, now I can see files in this directory on my remote computer. Very bizarre...I can see two files there I was not able to see on the computer. However, I cannot delete the files for some reason. In addition, I found a .ini file that is basically the hackers "cheat sheet" in text format which shows what they have done. It looks like a "root type exploit". But with the cheat sheat, I know what to back out....just don't know how to accomplish it. Its like the hacker has better tools than me.
So...anybody know how I can proceed given now I know the files in the directory that are somehow "completely hidden" by the native OS but can seen with XP. I found other hidden directories that I didn't even now where there, that I was able to delete based upon the cheat sheet.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
If you get access to a machine, it still runs as the logged in user, typically adminstrator. The problem is not running services. The problem is that I can go to File manager turn off a folders "read-only" attribute and apply it to the folders and when I come back, its right back at read-only. Its like Attributes are not working.
I'm trying to download a new antivirus program called F-secure...but everytime I download the file it immediately is hidden within any particular folder. The only way I can see is with a file explorer of a different computer.
I'm trying to download a new antivirus program called F-secure...but everytime I download the file it immediately is hidden within any particular folder. The only way I can see is with a file explorer of a different computer.
ASKER
Ok yes it appears I was rootkit'd with backdoor.hackdefender. I loaded up a beta program called F-Secure...incredible is what that program is. It was able to unhide and rename all the files and there off now. There was also a bunch of warez stuff it found and deleted as well. It was like magically. However, I had to track the os to load the F-Secure software. It appears the hackers must have already heard about F-Secure because they had a copy of F-Secure already loaded onto the server as a "hidden" file. So thats why I could not load it and it immediately became hidden. I had to rename the F-secure executable something else like somefile.exe and then zip that up in a file called somefile.zip on a separate computer and transport it on to the server.
I have a cheat sheet of other stuff that was done because it was all in an ini file that I looked at previously. It doesn't look like the Fsecure found the other stuff...probably because the other stuff is not hidden but distinquised as other "normal" files.
I have a cheat sheet of other stuff that was done because it was all in an ini file that I looked at previously. It doesn't look like the Fsecure found the other stuff...probably because the other stuff is not hidden but distinquised as other "normal" files.
The question is,how did they get access?
You can try to fix what is broken now,but how did they get in?
As for decent virus/malware scan,try Trend Micro House Call.
Works completly through a web browser.
No exe needed.
You can try to fix what is broken now,but how did they get in?
As for decent virus/malware scan,try Trend Micro House Call.
Works completly through a web browser.
No exe needed.
ASKER
I don't know....
SQL server was at KB1, there is a KB4 now...so I uploaded that. It doesn't automatically "update" like most of the other programs. Theres now a couple of ways to get in that way.
I'm concerned that there are a bunch of anonymous logins in the event viewer that are being accepted but from what I have read this is ok. These are about the time of the exploit which occurred on 11/16 at roughly 10:30 am.
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x641C85F)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: CLOUD
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 70.17.43.139
Source Port: 0
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
And this one around the same time but a different type.
Logon attempt using explicit credentials:
Logged on user:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon GUID: -
User whose credentials were used:
Target User Name: IUSR_COMPUTERNAME
Target Domain: THESERVERNAME
Target Logon GUID: -
Target Server Name: localhost
Target Server Info: localhost
Caller Process ID: 3936
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at
SQL server was at KB1, there is a KB4 now...so I uploaded that. It doesn't automatically "update" like most of the other programs. Theres now a couple of ways to get in that way.
I'm concerned that there are a bunch of anonymous logins in the event viewer that are being accepted but from what I have read this is ok. These are about the time of the exploit which occurred on 11/16 at roughly 10:30 am.
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x641C85F)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: CLOUD
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 70.17.43.139
Source Port: 0
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
And this one around the same time but a different type.
Logon attempt using explicit credentials:
Logged on user:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon GUID: -
User whose credentials were used:
Target User Name: IUSR_COMPUTERNAME
Target Domain: THESERVERNAME
Target Logon GUID: -
Target Server Name: localhost
Target Server Info: localhost
Caller Process ID: 3936
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at
Have you tried safe mode?
JamesTX10