Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : FTP site hacked, can't delete files

[Umpire]

My FTP server was hacked by a warez group and now there are files there that I cannot delete. I'm on a win2ksvr (no flames please) with HC1.4. There are also folders named com1, com2, aux, lpt1. I cannot delete these files.

1. How can I delete these files?
I tried stopping the service, then deleting them. That did not work.

2. Anyone know what I can do to keep from getting hacked again? I am disabling the anonymous ftp. Anything else?

Help?

Umpire

[phpjames]

How was it hacked? Was anonftp enabled? Turn that off first and then check the permissions on those files or have your system admin remove them for you.

[The Prohacker]

Well....


I've never seen how to get rid of the com1/null/com2/etc dir's.. I don't even think its possible at the windows level...


You might try renaming them....


I'm having a guy I know look up how to get rid of them now.. He still makes alot of pubs that way so maybe he knows how to get rid of them....

[The Prohacker]

http://www.netknowledgebase.com/foru...pic.php?t=1155

[Umpire]

<Prohacker>

One thing to say...If this works, U DA MAN!

Thanks for the info. I'll let everyone know if it works.

umpire

[Umpire]

I've tried their solutions including the RML file. It isn't working. I've also tried the DEL //./C method as well as described in the Microsoft KB.

Any one have other ideas? I am rebooting the server and trying these again.

stuff with bad files...help?
umpire

[Tazzman]

If they were normal locked dirs, I could help, but the com1, com2, aux, lpt1 are a whole different race. I did once find a tutorial on how to delete them, but every method mentioned in that tutorial failed. I would love to hear if anybody knows a method that works to remove these, just out of common intrest.

I'd suggest you never use anonymous ftp again. Believe me, it's asking for trouble. With all the free hosts efforts to reduce warez storage the warez world is now looking for ftp's they can access more than ever.

[Gadgy]

http://groups.google.com/groups?q="delete+com1"&hl=en&lr=&safe=off&selm=MPG.1576da61ec8560409896c2@news.powernet.co.uk&rnum=3

someone else had same problem?

[Umpire]

Thanks, will try this next week.

I'll post my results.
umpire

[CagedTornado]

Were the directories involved on an NTFS filesystem or a FAT filesystem?

If it was FAT, you can create a normal 'DOS' bootdisk and try 'del' the files/directories that way.

Did you try something like Norton tools?

Dan

[blazenet]

Problem is, com1 directories are reserved words... you usually cannot create them, unless you place something after it... e.g.

mkdir com1/blahblahblah/

If you do "cd com1" , you can't enter it, but when you do a "cd com1/blahblahblah/" it works... so you will have to know what's after it...

This is often done by hacker groups to prevent stealing FTP servers from each other, and to make sure only their group can find the files (since they do know what's behind the com1/) ...

Most likely, you had write enabled for Anonymous users, which is a very stupid thing to do (obviously) . If you drop write access for Anonymous users, it should be fixed, but best of all is simply disabling the whole Anonymous login if you're not using it...

[El Nino]

If there is nothing else in that directory, try del *.* from the DOS prompt in that directory. If the FTP root where all these directories were created was something like c:\ftproot, go back to the c:\ prompt and try deltree ftproot /y and hopefully that'll take care of it

[Umpire]

UPDATE:

Tried the following without success. (Access denied)
failed - microsoft KB article
failed - del //./c/inetpub/ftproot /s
failed - del //?/c/... /s
failed - del //server/C$/... /s
failed - del *.* /s
failed - del ftproot /s

also tried rd, rmdir
deltree not on the system but rd and rmdir should be the replacement.

Note1:
The problem seems to be the other directories have com1 in them. There are two com1 and com2 folders. One is simply com1, the other is "com 1" or com1~1. the prn, aux folders also cannot be deleted.

Note2:
removed anonymous access
All files are +rwx for everyone
Admin took ownership of the files/folders

Any other ideas?

umpire

[tsarge]

Hi guys,

Just had an entertaining day removing all traces of tagging from an open Win 2K - running IIS 5.
Needless to say the server is no longer open... here are the steps I went through.

downloaded takeown.exe
from: www dynawell com/support/reskit/win2k.asp (cant add url in first post - you'll need to add the dots )
(unzip and copy into Winnt directory)
make sure you are logged in as the admin for this...

open a command prompt (type cmd from start/run and hit enter)

Change Directory to your ftproot folder (eg cd \inet*\ftp*)

1) dir /x (hit enter - this shows the list of folders with the 8.3 format)
(you'll see the offending folders with names like 0202~1)

using 0202~1 as the example type:

takeown 0202~1 (hit enter - and if all goes well you should see)
Successful, protection removed

2) cd 0202~1 (hit enter)
3) dir /x
4) takeown 0202~1

(basically repeat the steps until you find the last directory)
(our eg C:\Inetpub\ftproot\0202~1\0202~1\0202~1\0202~1\0202~1\com1)

this is where I hit a snag - takeown worked on the folder named com1 - but I couldn't change into the directory as it's a reserved name. None of the rd \\.\C:\...... /S /Q or rm -rd commands worked - which suggested to me there were more folders under the com1 folder that had had their ownerships changed.

next try to change the folder name of the com1 folder

rename \\.\c:\inetpub\ftproot1\0202~1\0202~1\0202~1\0202~1\0202~1\com1 test

takeown test

repeat steps above to find the last folder - in my case only one folder more...
c:\inetpub\ftproot1\0202~1\0202~1\0202~1\0202~1\0202~1\test\1111

takeown on that...

then type
cd \inet*\ftp*
rd 0202~1 /S /Q (this will only work when all folders have had the ownership replaced)

dir /x (0202~1 no longer there)

just repeat for multiple tags... the machine I was fixing had been tagged 5 times...

hope this helps...