Well, I have had this same problem, but I was able to solve it using the RMDIR method... the trick is, you cannot use recursive delete! you have to walk down the tree... IE, if you path looks like the following: "c:\Upload\lpt9\ \com0\aux\ \" you have to delete the " " directory, then the "aux" directory, then the "com0" directory, and so on... This ends up being a VERY time consuming process, and I am working on a batch script to automate it... will let you know when it is done. Untill then, don't allow Anon FTP :) Nick Jacobsen Ethics Design nickat_private ----- Original Message ----- From: "Don Phillipe" <donphillipeat_private> To: <incidentsat_private> Sent: Friday, January 03, 2003 12:00 PM Subject: Thanks everyone! RE: MS IIS 5 server is hacked leaving undeletable folders and files Thank you everyone! What an overwhelming response this team has provided me. I received over 40 answers to my query and I would like to thank everyone for your kindly provided time to resolve this. Below is and outline of the progression and a brief response to some of the answers I received. I do see now that I neglected to state that the volume was NTFS, so that may have been the reason I received so many answers regarding how to delete the file with DOS (which didn't work, received "access denied". The information about a security tab missing could have been misleading, but in reality it was from the hacker directories; and although I have limited experience, I am not sure how a hacker can create NTFS directories without one, but it happened for sure. In brief: - most said to use DOS to delete (received "access denied") - many pointed to MS document on how to delete (did not have access to RM.EXE from resource kit and the RMDIR \\.\D:temp\UPLOAD /s also failed with "access denied") - tried to FTP back into myself to delete the directory (received "access denied") - one suggested to run Norton Utilities to fix (could not get Norton to install since it is a "server") - one pointed to in-depth MS Knowledge base and asked how long I looked (none of MS tips worked either) Note: I am not sure what I did wrong with my search argument during this and past times, but most "tips" I find from these pages are found from Google and the same search on MS search engine produces nothing. However, I do feel obligated to answer this question, I looked about 14 hours (enough for my wife to get really mad for missing some of Christmas with the in-laws ;-)) but the biggest problem was not knowing what kind of "illness" I had. (I know much more now, thanks to everyone here.) - since I was able to stop all applications using this virtual drive, I finally gave up, formatted and restored from last backup - still trying to figure out if I should go for a complete system re-install but plan to watch it and the logs for the next weeks (thank goodness for the noisy hard drive and flashing lights on my hub that alerted me to the "violation" in the first place Again, thanks to you all and have a prosperous new year!!! Don -----Original Message----- From: Don Phillipe [mailto:donphillipeat_private] Sent: Tuesday, December 31, 2002 11:05 AM To: 'incidentsat_private' Subject: MS IIS 5 server is hacked leaving undeletable folders and files I have a small server I use for my home business and use it mainly for anyone who needs to send a large file that will not go through email. I have an anonymous UPLOAD FTP account that I open up to receive these. From time to time I forget and leave this open (I know this is stupid but I thought I could just erase anything that was put there because the small drive would fill up real soon). However, I see someone has hacked into my server and put a bunch of trash that I cannot delete because when I try to delete it, Windows 2K says "cannot find the specified file". I have spent 2 days researching this and cannot find any reference of how to correct this. I did find some reference to looking at the security tab for these files but the security tab is missing! I found some tools which are supposed to set owners for files and they don't work on these files. Here is the log from where the hacker attacked below. Any help would be appreciated. I don't want to have to rebuild my server if possible: #Software: Microsoft Internet Information Services 5.0 #Version: 1.0 #Date: 2002-12-30 06:38:21 #Fields: time c-ip cs-method cs-uri-stem sc-status 06:38:21 80.11.214.63 [1]USER anonymous 331 06:38:21 80.11.214.63 [1]PASS anonymousat_private 230 06:38:24 80.11.214.63 [1]sent /upload/com3+/lpt2+/com3+/d/%15%20%d%D_FCT+/f/.GR+/h/aux+/j/%15%20%+by+Lorg% d%D+/divx/rpc-acb.043 550 06:54:31 80.11.214.63 [1]created rpc-acb.043 226 06:54:32 80.11.214.63 [1]sent /upload/com3+/lpt2+/com3+/d/%15%20%d%D_FCT+/f/.GR+/h/aux+/j/%15%20%+by+Lorg% d%D+/divx/rpc-acb.044 550 07:10:38 80.11.214.63 [1]created rpc-acb.044 226 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jan 06 2003 - 20:48:06 PST