Re: MS IIS 5 server is hacked leaving undeletable folders and files

From: Duncan Hill (sf-incidentsat_private)
Date: Thu Jan 02 2003 - 09:39:09 PST

Next message: Shirley, Ed: "NC_S_ISLCK?"

Previous message: David Vincent: "RE: MS IIS 5 server is hacked leaving undeletable folders and fil es"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Dec 31, 2002 at 11:05:27AM -0600, Don Phillipe wrote:
> time to time I forget and leave this open (I know this is stupid but I
> thought I could just erase anything that was put there because the small
> drive would fill up real soon).  However, I see someone has hacked into my
> server and put a bunch of trash that I cannot delete because when I try to
> 
> 06:38:24 80.11.214.63 [1]sent
> /upload/com3+/lpt2+/com3+/d/%15%20%d%D_FCT+/f/.GR+/h/aux+/j/%15%20%+by+Lorg%
> d%D+/divx/rpc-acb.043 550

Windows doesn't like to remove files called aux (and other device file names).

As I recall, you need the posix tools or similar to be able to remove directories
that share the same name as a device in Windows.  The cygwin tools may be able
to do it as well, but I don't remember.  

Google, as always, is your friend:
http://www.experts-exchange.com/Operating_Systems/Q_20302910.html

Begin quote:
This MS KB article may help

BEGIN ARTICLE

How to Remove Files with Reserved Names in Windows (Q120716)

--------------------------------------------------------------------------------
The information in this article applies to:

Microsoft Windows 2000 , Professional
Microsoft Windows 2000 , Server
Microsoft Windows 2000 , Advanced Server
Microsoft Windows 2000 , Datacenter Server
Microsoft Windows NT Server versions 3.1 , 3.5 , 3.51 , 4.0
Microsoft Windows NT Workstation versions 3.1 , 3.5 , 3.51 , 4.0
Microsoft Windows NT Advanced Server
--------------------------------------------------------------------------------

SUMMARY
Because applications control the policy for creating files in Windows, files
sometimes are created with illegal or reserved names, such as LPT1 or PRN.
This article explains how to delete such files using the standard user
interface.

.
.
.
.

Additional Query Words 3.10 prodnt CON PRN AUX CLOCK$ NUL COM1 LPT1 LPT2
LPT3 COM2 COM3 COM4 winnt  
End quote.

-- 

Sapere aude
My mind not only wanders, it sometimes leaves completely.
Never attribute to malice that which can be adequately explained by stupidity.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Shirley, Ed: "NC_S_ISLCK?"
Previous message: David Vincent: "RE: MS IIS 5 server is hacked leaving undeletable folders and fil es"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 02 2003 - 18:50:12 PST