Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

deleting thousands of files across thousands of sub folders in windows server 2008

Posted on 2010-08-27
11
Medium Priority
?
748 Views
Last Modified: 2012-05-10
hi,

my web hosting server was hacked and a malicious script was run which copied 10 different files to EVERY folder on my server....

luckily it wasn't too disruptive as the homepage of virtually all of the sites i was hosting is index.asp  (and the default document is index.asp) and the script didn't delete any files so in most cases the sites themselves weren't affected ....

i ran a search for all files which were created just after the script was run with a size of 5k (the size of the added files) and found over 300 000 files....

now i'm trying to find a way to mass delete all of these files....

if i select all of the files and hit delete it spends an indefinite amount of time 'calculating' and never actually does anything....

i found that if i drag a few thousand files at a time to the recycle bin this sometimes works, but not always...

has anyone any suggestions for some software or technique i can use to delete all of these files...

thanks
0
Comment
Question by:dog_star
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +4
11 Comments
 
LVL 10

Expert Comment

by:scriven_j
ID: 33541266
If they were created with a script, then using a script to delete them would seem to make sense.

If you know the name of the script that caused the problems, you might find your AV vendor (or another) would have a clean-up script.  Symantec:-

http://www.symantec.com/norton/security_response/index.jsp

are normally quite good at publishing clean-up tools for messy viruses.

Other than that a recursive batch file would probably do the job, but would need to know more details about how the script worked to replicate the behaviour but resolve the problems.
0
 
LVL 4

Expert Comment

by:Geek_Nabil
ID: 33541460
Ok ill help you with the script, but i need to know a few things first.
These 10 files in all the folders, do they have the same name, or extension or anything in common on the entire system?
0
 
LVL 14

Expert Comment

by:athomsfere
ID: 33541490
What script or virus was this? It may provide the information needed to uno this, like is there a prexisting solution (Spybot, Malware-Bytes, or a script).

This  might provide some direction as well
http://www.computing.net/answers/programming/batch-file-search-and-delete-file/16386.html
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 

Author Comment

by:dog_star
ID: 33541506
hi,

thanks for the ideas...

my worry about running a script is that the pages which have been created are all default page names... ie index.asp, index.htm, index.php, default.asp etcetc

running a script to delete all files with these names would delete an awful lot of files don't want deleted :)

using windows search at least i can see the time created.... all the 'rogue' files were created just after 5.30pm and so are easy enough to spot in the search... deleting them is proving more difficult...

at the moment i'm trying out windows commander to see if that will do a better job than windows explorer...

would a script be able to taget files this specifically? ie by size and by date?
0
 
LVL 4

Expert Comment

by:Geek_Nabil
ID: 33541663
Use this Command:

forfiles /P <DIRECTORY> /S /M <*.extension> /D "<DATE>" /C "cmd /c del /F @file"

example:

forfiles /P C:\Folder /S /M *.txt /D "25/08/2010" /C "cmd /c del /F @file"
0
 
LVL 10

Expert Comment

by:scriven_j
ID: 33541856
OK - in this situation, I would say do it by hand, or restore from a backup to be on the safe side.
0
 
LVL 4

Expert Comment

by:Geek_Nabil
ID: 33541922
If he uses the command above, its going to be fine,

it looks for files newer than a specific date with a specific file extension and deletes them, better of he can move them to a certain directory and check them manually if he wants to.

To move to a directory just change the last part:
/C "cmd /c del /F @file"

To:
/C "cmd /c move @file <DESTINATION> /Y"
Example
/C "cmd /c move @file D:\Files /Y"

0
 
LVL 2

Expert Comment

by:AbuAnaza
ID: 33541927
You can use advanced search options in Windows to find files created after a particular date; i tihnk you have been successful in doing that. As for the issue with taking too much time to delete, did you try selecting like a bunch of files (not all) and then deleting them in groups?

regards,
m
0
 
LVL 11

Accepted Solution

by:
marek1712 earned 2000 total points
ID: 33542737
Alternatively you can use Total Commander's search function to find the files created some time in the past and delete them. It's faster than Windows Search.
0
 
LVL 14
ID: 33543050
First Off, don't use Recylce Bin on any files you are certain about Deleting.

Recycle Bin Adds additional time both when sending files to it and when deleting them from it.

Instead HOLD SHIFT and delete normally (right click and select delete, or hit the delete Key)

Second, it sounds like the files are always called "Index.AnyExtention", is this right?  Or is the file "AnyName.AnyExtention"?

We Can do this through many file spec compairisons.

I may be overly cautious for your taste, but I suggest matching files on several atributes "To Insure Proper Service".

Also you should probably MOVE all the files to a different location, in case anything stops functioning.

The best way to acomplish this would be to use Robocopy.

(Sorry from Memory, so please test before running and use RoBoCopy /? To check the command names for age and size)
For 5:28AM To 5:32AM

Robocopy "C:" "\\Server\Share\Save" Index.* /MOV /S /MinAge:20100826 05:29 /MaxAge:20100827 05:32 /MinSize:5119 /MaxSize:5121

However, what would be best is if we can make the selection and then compare the contents of the files, either using FindStr or using FC.

That Would increase the time required, and send us back to using COMMAND Loops, but would allow for a more bulletproof method.

-Q
0
 

Author Closing Comment

by:dog_star
ID: 33545245
thanks everyone for your suggestions...

as i mentioned in my original post windows explorer just can't seem to handle file operations like this with so many files in so many different locations... possibly shift-deleting might have worked better... maybe next time i'll try (though of course hoping there is no next time:))

total commander worked perfectly...

to be on the safe side i actually ran a search defining the rough time all the files were created and , to be on the safe side, i ran a text search looking for all all files which contained certain text which the hacker had put in (specifically the name of the hacker)...

total commander took a couple of hours but it seemed to have found all the files (305,000 altogether).... i then hit delete and after a few seconds thinking it started deleting... its probably going to take a while but at least i can be pretty certain it won't be deleting anything it shouldn't...

again, thanks for all the suggestions
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a little timesaver I have been using for setting up Microsoft Small Business Server (SBS) in the simplest possible way. It may not be appropriate for every customer. However, when you get a situation where the person who owns the server is i…
Hi all, It is important and often overlooked to understand “Database properties”. Often we see questions about "log files" or "where is the database" and one of the easiest ways to get general information about your database is to use “Database p…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question