HACKED!!!! Can't delete folders

[Guest]

Archived from groups: microsoft.public.win2000.general (More info?)

Hello:

My W2K server running IIS 5.0 with FTP was hacked. Someone placed half a
dozen folders on the server and no matter what I do I can not delete them.
I tried taking ownership of them the normal way from Windows Explorer and
even used xcacls but still can get control of them. Even after a reboot I
can not get a hold of them. A few of the folder have strange characters in
them and spaces at the beginning. This is what look like:

<blank no name>
a
aa
ab
John Paul
.ÿÿ. ÿ. ÿ. .. 5.56.ÿ ÿ ÿ. ÿ. .
.ÿÿ ÿ.. 4.28.ÿÿÿÿÿ. .
.ÿÿÿÿ ÿ ÿ.. 21.57.ÿÿÿ ÿ ÿÿÿ.
.ÿ ÿÿ. ÿÿ ÿ. ÿÿ .. 23.7.ÿÿÿÿ .
.ÿÿ ÿÿ ÿ. ÿÿ. .. 2.93.ÿÿÿ. ÿÿÿ.

Does anyone know how I can blow the folders out?

Harrison Midkiff

 

[Guest]

Archived from groups: microsoft.public.win2000.general (More info?)

From a command prompt try;

del \\.\Drive:\directory\filename
(Note: the period between \\ and \)

Also

dir /x
and try deleting them using their 8.3 short names.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

"Harrison Midkiff" wrote:
| Hello:
|
| My W2K server running IIS 5.0 with FTP was hacked. Someone placed half a
| dozen folders on the server and no matter what I do I can not delete them.
| I tried taking ownership of them the normal way from Windows Explorer and
| even used xcacls but still can get control of them. Even after a reboot I
| can not get a hold of them. A few of the folder have strange characters
in
| them and spaces at the beginning. This is what look like:
|
| <blank no name>
| a
| aa
| ab
| John Paul
| .ÿÿ. ÿ. ÿ. .. 5.56.ÿ ÿ ÿ. ÿ. .
| .ÿÿ ÿ.. 4.28.ÿÿÿÿÿ. .
| .ÿÿÿÿ ÿ ÿ.. 21.57.ÿÿÿ ÿ ÿÿÿ.
| .ÿ ÿÿ. ÿÿ ÿ. ÿÿ .. 23.7.ÿÿÿÿ .
| .ÿÿ ÿÿ ÿ. ÿÿ. .. 2.93.ÿÿÿ. ÿÿÿ.
|
| Does anyone know how I can blow the folders out?
|
| Harrison Midkiff
|
|

 

[Guest]

Archived from groups: microsoft.public.win2000.general (More info?)

rm \\.\Drive:\directory\filename if del doesn't work.

--
George Hester
_________________________________
"Dave Patrick" <mail@Nospam.DSPatrick.com> wrote in message news:OWOrIU4QFHA.580@TK2MSFTNGP15.phx.gbl...
> From a command prompt try;
>
> del \\.\Drive:\directory\filename
> (Note: the period between \\ and \)
>
> Also
>
> dir /x
> and try deleting them using their 8.3 short names.
>
> --
> Regards,
>
> Dave Patrick ....Please no email replies - reply in newsgroup.
> Microsoft Certified Professional
> Microsoft MVP [Windows]
> http://www.microsoft.com/protect
>
> "Harrison Midkiff" wrote:
> | Hello:
> |
> | My W2K server running IIS 5.0 with FTP was hacked. Someone placed half a
> | dozen folders on the server and no matter what I do I can not delete them.
> | I tried taking ownership of them the normal way from Windows Explorer and
> | even used xcacls but still can get control of them. Even after a reboot I
> | can not get a hold of them. A few of the folder have strange characters
> in
> | them and spaces at the beginning. This is what look like:
> |
> | <blank no name>
> | a
> | aa
> | ab
> | John Paul
> | .ÿÿ. ÿ. ÿ. .. 5.56.ÿ ÿ ÿ. ÿ. .
> | .ÿÿ ÿ.. 4.28.ÿÿÿÿÿ. .
> | .ÿÿÿÿ ÿ ÿ.. 21.57.ÿÿÿ ÿ ÿÿÿ.
> | .ÿ ÿÿ. ÿÿ ÿ. ÿÿ .. 23.7.ÿÿÿÿ .
> | .ÿÿ ÿÿ ÿ. ÿÿ. .. 2.93.ÿÿÿ. ÿÿÿ.
> |
> | Does anyone know how I can blow the folders out?
> |
> | Harrison Midkiff
> |
> |
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.general (More info?)

Have you tried renaming the folders & then deleting them?

What is the error you get when you try to delete the files?

What user rights do you have?

Crouchie1998
BA (HONS) MCP MCSE

 

[Guest]

Archived from groups: microsoft.public.win2000.general (More info?)

Probably access denied or not a folder or not found. This is very common for UNIX hacked Windows.

--
George Hester
_________________________________
"Crouchie1998" <crouchie1998@spamcop.net> wrote in message news:ud$ugD7QFHA.904@tk2msftngp13.phx.gbl...
> Have you tried renaming the folders & then deleting them?
>
> What is the error you get when you try to delete the files?
>
> What user rights do you have?
>
> Crouchie1998
> BA (HONS) MCP MCSE
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.general (More info?)

How can you delete a directory with 8.3 filename?

The 3 is the extension like exe, com... Do folders have file extensions?
NO!!

Crouchie1998
BA (HONS) MCP MCSE

 

[Guest]

Archived from groups: microsoft.public.win2000.general (More info?)

Easily. All 8.3 file name means is that the name is restricted to 8 characters plus the extension of three. Hence C:\Program Files in 8.3 file name format is C:\PROGRA~1. This can be seen by going to the root (C:\) in the command prompt and type dir /x

--
George Hester
_________________________________
"Crouchie1998" <crouchie1998@spamcop.net> wrote in message news:O$fahL7QFHA.648@TK2MSFTNGP14.phx.gbl...
> How can you delete a directory with 8.3 filename?
>
> The 3 is the extension like exe, com... Do folders have file extensions?
> NO!!
>
> Crouchie1998
> BA (HONS) MCP MCSE
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.general (More info?)

Folders can and do have 8.3 file names.


"Crouchie1998" <crouchie1998@spamcop.net> wrote in message
news:O$fahL7QFHA.648@TK2MSFTNGP14.phx.gbl...
> How can you delete a directory with 8.3 filename?
>
> The 3 is the extension like exe, com... Do folders have file extensions?
> NO!!
>
> Crouchie1998
> BA (HONS) MCP MCSE
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.general (More info?)

Crouchie1998 wrote:
> How can you delete a directory with 8.3 filename?
>
> The 3 is the extension like exe, com... Do folders have file extensions?
> NO!!
>
> Crouchie1998
> BA (HONS) MCP MCSE
>

You claim to have an MCSE but you are so ignorant that you think
a folder name can't have an extension ?

A folder name can have any extension that the user chooses to
give it. And though .exe would be a pretty dumb extension to
tack onto the end of a folder's name, there is nothing preventing
anyone from doing so.

A few of the more common - and reasonable - cases of extensions
in folder names include
1.) .bak to indicate that a folder is a backup
2.) .old to indicate that a folder is a older version
3.) .000, .001, .002, et cetera. Typically when software tries
to create a folder but finds that name already in use, so it just
tacks on a number to differentiate the otherwise identically
named folders.
4.) .yyyymmdd, and variations thereof, where yyyy, mm, dd are
the year, month, and day of month. Often used in backup
situations to indicate the day of the backup.

 

[Guest]

Archived from groups: microsoft.public.win2000.general (More info?)

Hi,

Thanks for posting!

I understand that you cannot delete folders resident on Windows 2000
server. If I have misunderstood your concerns, please feel free to let me
know.

The MVPs have provided you several helpful methods. Please help me know the
results of them. Additionally, I would like to provide you with the
following method for your reference:

1. Start a command prompt with start->run->cmd.exe
2. Change to the directory below the one you're trying to delete. Now run
the dir command with the /x switch. What this switch does is allow you to
see the 8.3 short filenames for these folders and files. You can then use
this short filename to rmdir your foders.

Note: for the switches, please refer to rmdir /?

For more information, please refer to the following article:
120716 How to Remove Files with Reserved Names in Windows
http://support.microsoft.com/?id=120716

315226 How to Remove Files with Reserved Names in Windows XP
http://support.microsoft.com/?id=315226

If there is anything that is unclear, please feel free to let me know.

Thanks & Regards,

Jason Tan

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Archived from groups: microsoft.public.win2000.general (More info?)

George:

You're exactly right. I just can not do much of anything with the folders.
I was able to rename them, but I still couldn't delete them. If you have
any ideas on how to delete them I am all ears....

Harrison Midkiff

"George Hester" <hesterloli@hotmail.com> wrote in message
news:O2owhq7QFHA.2932@TK2MSFTNGP09.phx.gbl...
Probably access denied or not a folder or not found. This is very common
for UNIX hacked Windows.

--
George Hester
_________________________________
"Crouchie1998" <crouchie1998@spamcop.net> wrote in message
news:ud$ugD7QFHA.904@tk2msftngp13.phx.gbl...
> Have you tried renaming the folders & then deleting them?
>
> What is the error you get when you try to delete the files?
>
> What user rights do you have?
>
> Crouchie1998
> BA (HONS) MCP MCSE
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.general (More info?)

A different issue. While logged on as local administrator
Explorer|"folder"|File|Properties|Security|Advanced|Owner and take
ownership.

--
Regards,
Dave

-------------
Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

"Harrison Midkiff" wrote:
| George:
|
| You're exactly right. I just can not do much of anything with the
folders.
| I was able to rename them, but I still couldn't delete them. If you have
| any ideas on how to delete them I am all ears....
|
| Harrison Midkiff

 

[Guest]

Archived from groups: microsoft.public.win2000.general (More info?)

That was one of the first things I tried. It seems that there are hidden
folders down inside the hierarchy and I can not replicate my permissions
down. I tried xcacls which usually will force its permissions on just about
anything thing but it fails as well.

I have been looking for a method to just blow out the folder completely.
Any ideas?

Harrison Midkiff

"Dave Patrick" <mail@Nospam.DSPatrick.com> wrote in message
news:O33dkYBRFHA.204@TK2MSFTNGP15.phx.gbl...
>A different issue. While logged on as local administrator
> Explorer|"folder"|File|Properties|Security|Advanced|Owner and take
> ownership.
>
> --
> Regards,
> Dave
>
> -------------
> Dave Patrick ....Please no email replies - reply in newsgroup.
> Microsoft Certified Professional
> Microsoft MVP [Windows]
> http://www.microsoft.com/protect
>
> "Harrison Midkiff" wrote:
> | George:
> |
> | You're exactly right. I just can not do much of anything with the
> folders.
> | I was able to rename them, but I still couldn't delete them. If you
> have
> | any ideas on how to delete them I am all ears....
> |
> | Harrison Midkiff
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.general (More info?)

Try copying XCACLS to the root FTP folder in question and run;

XCACLS *.* /t > D:\perms.txt

Then look in perms.txt

--
Regards,
Dave

-------------
Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

"Harrison Midkiff" wrote:
| That was one of the first things I tried. It seems that there are hidden
| folders down inside the hierarchy and I can not replicate my permissions
| down. I tried xcacls which usually will force its permissions on just
about
| anything thing but it fails as well.
|
| I have been looking for a method to just blow out the folder completely.
| Any ideas?
|
| Harrison Midkiff

 

[Guest]

Archived from groups: microsoft.public.win2000.general (More info?)

Jason this issue is Folders with leading spaces. and other invalid characters for Win32. It's a common tactic for these hackers.

--
George Hester
_________________________________
"Jason Tan (MSFT)" <v-jasont@online.microsoft.com> wrote in message news:hHNJCt#QFHA.1560@TK2MSFTNGXA02.phx.gbl...
> Hi,
>
> Thanks for posting!
>
> I understand that you cannot delete folders resident on Windows 2000
> server. If I have misunderstood your concerns, please feel free to let me
> know.
>
> The MVPs have provided you several helpful methods. Please help me know the
> results of them. Additionally, I would like to provide you with the
> following method for your reference:
>
> 1. Start a command prompt with start->run->cmd.exe
> 2. Change to the directory below the one you're trying to delete. Now run
> the dir command with the /x switch. What this switch does is allow you to
> see the 8.3 short filenames for these folders and files. You can then use
> this short filename to rmdir your foders.
>
> Note: for the switches, please refer to rmdir /?
>
> For more information, please refer to the following article:
> 120716 How to Remove Files with Reserved Names in Windows
> http://support.microsoft.com/?id=120716
>
> 315226 How to Remove Files with Reserved Names in Windows XP
> http://support.microsoft.com/?id=315226
>
> If there is anything that is unclear, please feel free to let me know.
>
> Thanks & Regards,
>
> Jason Tan
>
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
>
> =====================================================
>
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
>
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>

 

[Guest]

Archived from groups: microsoft.public.win2000.general (More info?)

Jason Tan gave you the links and I believe Dave gave you the actual command earlier. You have trailing spaces and this is your issue. Hence when you try to use Dave's command you must know exactly how the folder is written including the spaces and you enclose that all in "". I don't think 8.3 filenames will work here but you can try. But to make a long story short remove anonymous write to your system AND\OR remove ALL permissions to tftp.exe located in system32. Remember to install a Service Pack you will have to re-enable its permissions first. Small price to pay to avoid what you are dealing with.

--
George Hester
_________________________________
"Harrison Midkiff" <HMidkiff@aviinc.com> wrote in message news:#rCWeJDRFHA.612@TK2MSFTNGP14.phx.gbl...
> That was one of the first things I tried. It seems that there are hidden
> folders down inside the hierarchy and I can not replicate my permissions
> down. I tried xcacls which usually will force its permissions on just about
> anything thing but it fails as well.
>
> I have been looking for a method to just blow out the folder completely.
> Any ideas?
>
> Harrison Midkiff
>
> "Dave Patrick" <mail@Nospam.DSPatrick.com> wrote in message
> news:O33dkYBRFHA.204@TK2MSFTNGP15.phx.gbl...
> >A different issue. While logged on as local administrator
> > Explorer|"folder"|File|Properties|Security|Advanced|Owner and take
> > ownership.
> >
> > --
> > Regards,
> > Dave
> >
> > -------------
> > Dave Patrick ....Please no email replies - reply in newsgroup.
> > Microsoft Certified Professional
> > Microsoft MVP [Windows]
> > http://www.microsoft.com/protect
> >
> > "Harrison Midkiff" wrote:
> > | George:
> > |
> > | You're exactly right. I just can not do much of anything with the
> > folders.
> > | I was able to rename them, but I still couldn't delete them. If you
> > have
> > | any ideas on how to delete them I am all ears....
> > |
> > | Harrison Midkiff
> >
> >
>
>