Solved

deleting thousands of files across thousands of sub folders in windows server 2008

Posted on 2010-08-27
11
739 Views
Last Modified: 2012-05-10
hi,

my web hosting server was hacked and a malicious script was run which copied 10 different files to EVERY folder on my server....

luckily it wasn't too disruptive as the homepage of virtually all of the sites i was hosting is index.asp  (and the default document is index.asp) and the script didn't delete any files so in most cases the sites themselves weren't affected ....

i ran a search for all files which were created just after the script was run with a size of 5k (the size of the added files) and found over 300 000 files....

now i'm trying to find a way to mass delete all of these files....

if i select all of the files and hit delete it spends an indefinite amount of time 'calculating' and never actually does anything....

i found that if i drag a few thousand files at a time to the recycle bin this sometimes works, but not always...

has anyone any suggestions for some software or technique i can use to delete all of these files...

thanks
0
Comment
Question by:dog_star
  • 3
  • 2
  • 2
  • +4
11 Comments
 
LVL 10

Expert Comment

by:scriven_j
Comment Utility
If they were created with a script, then using a script to delete them would seem to make sense.

If you know the name of the script that caused the problems, you might find your AV vendor (or another) would have a clean-up script.  Symantec:-

http://www.symantec.com/norton/security_response/index.jsp

are normally quite good at publishing clean-up tools for messy viruses.

Other than that a recursive batch file would probably do the job, but would need to know more details about how the script worked to replicate the behaviour but resolve the problems.
0
 
LVL 4

Expert Comment

by:Geek_Nabil
Comment Utility
Ok ill help you with the script, but i need to know a few things first.
These 10 files in all the folders, do they have the same name, or extension or anything in common on the entire system?
0
 
LVL 14

Expert Comment

by:athomsfere
Comment Utility
What script or virus was this? It may provide the information needed to uno this, like is there a prexisting solution (Spybot, Malware-Bytes, or a script).

This  might provide some direction as well
http://www.computing.net/answers/programming/batch-file-search-and-delete-file/16386.html
0
 

Author Comment

by:dog_star
Comment Utility
hi,

thanks for the ideas...

my worry about running a script is that the pages which have been created are all default page names... ie index.asp, index.htm, index.php, default.asp etcetc

running a script to delete all files with these names would delete an awful lot of files don't want deleted :)

using windows search at least i can see the time created.... all the 'rogue' files were created just after 5.30pm and so are easy enough to spot in the search... deleting them is proving more difficult...

at the moment i'm trying out windows commander to see if that will do a better job than windows explorer...

would a script be able to taget files this specifically? ie by size and by date?
0
 
LVL 4

Expert Comment

by:Geek_Nabil
Comment Utility
Use this Command:

forfiles /P <DIRECTORY> /S /M <*.extension> /D "<DATE>" /C "cmd /c del /F @file"

example:

forfiles /P C:\Folder /S /M *.txt /D "25/08/2010" /C "cmd /c del /F @file"
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 10

Expert Comment

by:scriven_j
Comment Utility
OK - in this situation, I would say do it by hand, or restore from a backup to be on the safe side.
0
 
LVL 4

Expert Comment

by:Geek_Nabil
Comment Utility
If he uses the command above, its going to be fine,

it looks for files newer than a specific date with a specific file extension and deletes them, better of he can move them to a certain directory and check them manually if he wants to.

To move to a directory just change the last part:
/C "cmd /c del /F @file"

To:
/C "cmd /c move @file <DESTINATION> /Y"
Example
/C "cmd /c move @file D:\Files /Y"

0
 
LVL 2

Expert Comment

by:AbuAnaza
Comment Utility
You can use advanced search options in Windows to find files created after a particular date; i tihnk you have been successful in doing that. As for the issue with taking too much time to delete, did you try selecting like a bunch of files (not all) and then deleting them in groups?

regards,
m
0
 
LVL 11

Accepted Solution

by:
marek1712 earned 500 total points
Comment Utility
Alternatively you can use Total Commander's search function to find the files created some time in the past and delete them. It's faster than Windows Search.
0
 
LVL 11

Expert Comment

by:Ben Personick
Comment Utility
First Off, don't use Recylce Bin on any files you are certain about Deleting.

Recycle Bin Adds additional time both when sending files to it and when deleting them from it.

Instead HOLD SHIFT and delete normally (right click and select delete, or hit the delete Key)

Second, it sounds like the files are always called "Index.AnyExtention", is this right?  Or is the file "AnyName.AnyExtention"?

We Can do this through many file spec compairisons.

I may be overly cautious for your taste, but I suggest matching files on several atributes "To Insure Proper Service".

Also you should probably MOVE all the files to a different location, in case anything stops functioning.

The best way to acomplish this would be to use Robocopy.

(Sorry from Memory, so please test before running and use RoBoCopy /? To check the command names for age and size)
For 5:28AM To 5:32AM

Robocopy "C:" "\\Server\Share\Save" Index.* /MOV /S /MinAge:20100826 05:29 /MaxAge:20100827 05:32 /MinSize:5119 /MaxSize:5121

However, what would be best is if we can make the selection and then compare the contents of the files, either using FindStr or using FC.

That Would increase the time required, and send us back to using COMMAND Loops, but would allow for a more bulletproof method.

-Q
0
 

Author Closing Comment

by:dog_star
Comment Utility
thanks everyone for your suggestions...

as i mentioned in my original post windows explorer just can't seem to handle file operations like this with so many files in so many different locations... possibly shift-deleting might have worked better... maybe next time i'll try (though of course hoping there is no next time:))

total commander worked perfectly...

to be on the safe side i actually ran a search defining the rough time all the files were created and , to be on the safe side, i ran a text search looking for all all files which contained certain text which the hacker had put in (specifically the name of the hacker)...

total commander took a couple of hours but it seemed to have found all the files (305,000 altogether).... i then hit delete and after a few seconds thinking it started deleting... its probably going to take a while but at least i can be pretty certain it won't be deleting anything it shouldn't...

again, thanks for all the suggestions
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Naughty Me. While I was changing the database name from DB1 to DB_PROD1 (yep it's not real database name ^v^), I changed the database name and notified my application fellows that I did it. They turn on the application, and everything is working. A …
Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now