Thank you to everyone who gave such great suggestions and advice. What ended up working was using DIR /X in the directory and then rmdir deleted all but one folder that has a file size of 0 bytes. It would be nice to get rid of this folder, but we can live with this solution until we can FDISK the machine. Thanks again and Happy New Years! Adam -----Original Message----- From: Andrew Plato [mailto:aplato@private] Sent: Monday, December 31, 2001 1:32 PM To: Adam Lipson Cc: crime@private Subject: RE: CRIME hacked web server question Windows machines - properly configured - can be very secure and safe. The problem is not the software, its that the "out of the box" configuration is weak. A properly hardened Win2K box can be very secure. You can delete these files using NTFS. You need to delete it using its "short name". Try using the command DIR /X in the directory where the file is located to get its "short name" which will be something like "~1, see http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q101654 Then delete the directory using the short name C:\del "~1 You can also boot into the recovery console and work from there. However, before you put the machine live, I would recommend a full backup, a through vulnerability scan, virus scan, and disk cleaning (defrag, clean out all the free space, etc.) If you do FDISK it, make sure to harden up your FTP services if possible. Good luck. ------------------------------------ Andrew Plato President / Principal Consultant Anitian Corporation (503) 644-5656 office (503) 201-0821 cell http://www.anitian.com Yahoo Messenger: Anitian ------------------------------------ > -----Original Message----- > From: Crispin Cowan [mailto:crispin@private] > Sent: Monday, December 31, 2001 12:32 PM > To: Adam Lipson > Cc: 'crime@private' > Subject: Re: CRIME hacked web server question > > > Unless you have an expert in security forensics, I would > recomend that > you fdisk that machine and restore from backup. Unless you > were running > something like tripwire and have a complete picture of the > machine in a > known-clean state, you have no way of knowing what back doors and > trojans the attacker may have installed. > > And while you're fdisk'ing, dump IIS/Windows and get a real > OS ;-) Yes, > I understand the business reasons why people choose to use windows. I > also understand that most of the people who make those high level > decisions aren't really aware of the hidden costs they impose on > themselves when they do that. > > Crispin > > Adam Lipson wrote: > > >I have had someone come thru and post about 3gb of files on > a webserver > >running fully patched IIS and only port 80 and ftp allowed > to access it. > >The problem is the folders containing the files are names > like ". tagged > >for nwa" and can't be deleted by windows/dos. Does anyone > know how to > >delete these folders as I presume this may have happened to > someone else on > >the list. > > > >Thanks and happy new years! > >Adam > > > > -- > Crispin Cowan, Ph.D. > Chief Scientist, WireX Communications, Inc. http://wirex.com > Security Hardened Linux Distribution: http://immunix.org > Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:38:12 PDT