VeeshanVault

I was uploading a file to a friend and forgot to turn off my FTP server. Needless to say, I was hacked!
They created a ton of directories, that you can not delete from windows explorer. I was able to delete them when I used the short name in dos <dir /x>.

Here is the problem.

They created directories called COM1, COM2, COM3. These directories do not have short names and I can not figure out how to delete them.

Thanks for any help in advance,

Why can't you delete them?

You have admin rights?
Did you check the attribs of the directories?

In windows explorer I get the following error.

"Cannot delete COM2: Cannot find the specified file.
Make sure you specified the correct path and filename."


From dos I get the following error.

"The system cannot find the file specified."

I tried using RD COM1 and DEL COM1 from dos.

The reason you cannot delete those directories is because they are named using a naming convention that windows does not understand. Here are some steps you could try first to remove the directories (copied from a newsgroup).

1) Use a "DOS" Command Prompt for the steps below. Example, click on
Start, Run, type CMD [for Windows 2000 / XP / NT / .NET ] or COMMAND
[Windows 95 / 98 / ME ] and click OK to open a Command Prompt window.

2) Use the DIR /X command to find the shortened 8.3 name of the folder.
[Example, the shortened 8.3 name for the "Hackers Files" folder might be
HACKER~5 ]

3) Use the CD command to change to that directory using the 8.3 name
[example CD DOCUME~1 ].

4) Repeat these two commands until you reach the lowest level of the
subdirectory tree that the hacker created.

5) You should then be able to delete all the files in the subdirectory.

6) Use the CD .. [CD space dot dot] command to move up one directory.

7) Use the RD command to remove the directory you just left [e.g. RD
HACKER~7 ]

8) Repeat these two commands until you have removed all the unwanted
folders.

In my experience this did not work and I had to revert to using the rm.exe that is supplied in the windows resource kit. If those steps don't work this should for sure.

http://support.microsoft.com/default.as ... US;Q120716

Also, you may want to do some file finds on your computer for anything named serverudaemon or firedaemon. Hackers will often install this on your pc as a backdoor to your ftp server. You might want to uncheck allow anonymous on your ftp server in the future as well and check if anyone is still logged into your pc via ftp when you start it up next. That will let you know if they've left open a backdoor.

This sounds like the "tagged" shit that was going around a while back in windows boxes. I think Microsoft has some sort of fix for it on their website...but most I heard that it was a wpie and restore from tape job.

Backup your files and reformat. In my experiance, once windows has been messed with, it's always fucked until you start from a clean slate.

I've seen that happen when someone has entered them as ascii chars instead of regular chars. If you hold down the alt key and then enter its ascii value (001, 002, 003) using the num pad, you can usually duplicate the undeleable chars, and then use that to delete the dir name. You need to be in a dos window to do this of course.

For instance, rd 067 079 077 049 while holding down the alt key should get you:

rd COM1

Here is a chart in case you get lost.


http://www3.sympatico.ca/rhwatson/dos7/ ... ascii.html

You sooo do not need to reformat. Rm.exe will work wonders, believe me. This shit happened to me like a month ago and that tool saved the day.

Thanks for all the GREAT advice. Ya'll ROCK!!

what ftp program do you use? most have their own built in file manager that are usually coded to delete that kind of shit just by hitting the delete button.

also, never let in anonymous users.

I needed to get someone a file pretty fast so I just dropped in IIS. I was planning on disabling FTP but forgot too. hehe

Ocelott wrote:I needed to get someone a file pretty fast so I just dropped in IIS.

and that my friend is why you got hacked