Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Directory will not delete 1

Status
Not open for further replies.
chesneyj

chesneyj

IS-IT--Management
Aug 20, 2001
33
US
My server is Windows NT 4.0 with ISS 4.0. It was hacked via the FTP site. The person put a number of games & movie files onto my server. I think I have him locked out now, but I can't delete the files. He has tagged them so the system can't see them. They list when "dir" is performed but when you try to delete them, the system says the file doesn't exist.

I have tried using MS kb Q120716. I installed the Resource kit. I used the rm.exe command as well as DEL. The RM command worked for one directory, but the last 2 won't go away. He has done something all the way down to the files themselves. One directory doesn't have a name at all and the other is called COM1. I can rename some directories but not all. It tells me Access denied as well.

Thanks for any ideas.


Brenda Sherrod
Network Administrator
Alliance Architects, Inc.
 
Sort by date Sort by votes
Hi,

It's a trick indeed to name directories as COM1 or LPT1.
Some advices:
-Try to remove the directory with this command:
RD \\.\C:\COM1 /s /q

- use dir /x to see the DOS name of those directories of files you want to delete

And, Microsoft explain here some steps also (using POSIX facilities):
Sincerly I'm courious if it is working. Gia Betiu
m.betiu@chello.nl
Computer Eng. CNE 4, CNE 5
 
Upvote 0 Downvote
Thank you thank you thank you!!!

I was forgetting to get the DOS name first. Once I had that, the knowledge base article worked like a charm.

And I am happy to report that after all the work I did yesterday to block him, he was not able to get in last night, although he did try. Thankfully, I remembered to disable the Guest account. The Event Log recorded everything.

Maybe now I can get back to my other tasks.

Thank you again.
Brenda Sherrod
Network Administrator
Alliance Architects, Inc.
 
Upvote 0 Downvote
you can also boot from a DOS floppy and use deltree if you are using FAT.
I don't think RD deletes directories with anything in them so this may well be quicker.
 
Upvote 0 Downvote
Thank You!

RD works! There is no need to use RM. Now I wonder why Microsoft didn't have that in the knowledge base.

Last Quark
 
Upvote 0 Downvote
I am having a similar problem. I have a ftp site that was hacked, and there is a directory in it that is named com1. When I do a dir /x it shows up as com1~1. I cannot access the directory at all, keep getting access denied. when I log into the ftp server and do a ls the permissions listed are: d--------

Not sure what I can do, I tried taking control of the folder with NTFS permissions, it looks like it works but then doesn't.

Any suggestions.

Thanks
 
Upvote 0 Downvote
Make sure to shut off anonymous access to your FTP site. Unless it is absolutely necessary, there is no need for it. Also, disable your guest account. It is unnecessary for day to day use.

Then print out Microsoft Knowledge Base article Q120716. This details how to delete files with illegal names. You will need to get access to the Windows Resource Kit. It contains a program called rm.exe. I can't remember where I found it but it may be on the installation disks.

Next, delete everything you can delete inside of the hacker's directory. If there are files that won't delete, go to the DOS prompt, go to the directory where the files are stored and type dir /x. The files will have different DOS names than their regular names. Then follow the directions in the Knowledge Base article.

I hope this helps.
Brenda Sherrod
 
Upvote 0 Downvote
We recently ran into this exact same issue where a hacker got into our server via having Anonymous open on our server. We shut that down as well as the service "Serv-U FTP Server" which was described as "Provides FTP services and allows remote FTP clients to connect to this computer"

That seemed to have disabled their access...but now we had all kinds of folders we couldnt delete such as "C:\Inetpub\FTProot\ \ \ \aux\~\com3\ScanneD \lpt1\by \lpt3\fischmac\com9\TaGGeD \lpt1\by \lpt3\one2one\lpt3\ \with Neo1907´s PuB-tAgGeR \lpt2\uPPed \com1\BY \lpt1\one2one"

I finally got them deleted with a program called ROBOCOPY - (
I first used the following to move them out of the ftp directory they were in and into a new “dump” directory with all directories renamed replacing all the spaces and such in the directory names (except the lpt2 or com2 ones) with:

C:\Inetpub\FTProot> robocopy . C:/dump /MOVE /E /FAT

/FAT : create destination files using 8.3 FAT file names only.
/E - copy subdirectories, including Empty ones.
/MOVE - MOVE files AND dirs (delete from source after copying).

I then used the /PURGE option and just copied from the current directory to itself, in essence deleting everything with:

C:\dump> robocopy . . /MOVE /E /PURGE

/PURGE : delete dest files/dirs that no longer exist in source.

Hope this helps!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

dpellegrini
  • Locked
  • Question
Website will load using hostname but not IP address
Replies
3
Views
1K
mangentle
mangentle
microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
750
microsGuy16
microsGuy16
julis2103
  • Locked
  • Question
Active Directory
Replies
0
Views
242
julis2103
julis2103
goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
968
goombawaho
goombawaho
penguinroundup
  • Locked
  • Question
programmatically delete all saved passwords for IE for any user
Replies
0
Views
336
penguinroundup
penguinroundup

Part and Inventory Search

Sponsor

Back
Top