Got an IIS FTP site that has been hacked. Someone created subfolders from the FTP root, and now I can't delete them! I have tried stopping the FTP Service, made sure that I have complete rights, etc and still I can't delete the folders or directories. Any ideas on what I can do???
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
FTP Site got Hacked 1
- Thread starter extoman
- Start date
-
1
- #2
sleipnir214
Programmer
What commonly happens is that the little schmucks who dump junk your server create directory names which have spaces or weird characters in them. You won't be able to delete them from the drive through Explorer.
One way is to go to the directory tree from the command prompt and use the "dir /x" command, which shows the short-filename equivalents of the filenames. You can delete the files using the short names from the command prompt.
This process is laborious, but it works.
I assume that you have turned off anonymous writes to your server -- if you don't, this will happen all over again. ______________________________________________________________________
TANSTAAFL!
One way is to go to the directory tree from the command prompt and use the "dir /x" command, which shows the short-filename equivalents of the filenames. You can delete the files using the short names from the command prompt.
This process is laborious, but it works.
I assume that you have turned off anonymous writes to your server -- if you don't, this will happen all over again. ______________________________________________________________________
TANSTAAFL!
- Thread starter
- #3
sleipnir214
Programmer
My idea will work. You just can't use wildcards.
You can use a filecard in a directory to delete the files in that directory, but you're going to have to delete each directory by name. This takes a while. ______________________________________________________________________
TANSTAAFL!
You can use a filecard in a directory to delete the files in that directory, but you're going to have to delete each directory by name. This takes a while. ______________________________________________________________________
TANSTAAFL!
- Thread starter
- #5
sleipnir214
Programmer
I'm trying to remember what I did the last time I came across this problem.
Can you take ownership of the directory tree? ______________________________________________________________________
TANSTAAFL!
Can you take ownership of the directory tree? ______________________________________________________________________
TANSTAAFL!
You are right they sometime use strange characters in the folder, get a copy of the dos utility deltree (I believe it is in Win98 still) and this will allow you to use wildcards in your directory delete. Or sometimes they us windows reserved names in their file or directory names, this article describes how to delete those.
- Thread starter
- #8
BlackHawk2
Technical User
Here is what I had to do.
Open a Command Promt.
Open Explorer, where the Directory resides.
In the Command Propt type
RD /S
Then Space.
Then Drag and Drop the hackers folder into the dos prompt.
This will type out the name for you.
Hit the Enter button.
RD = Remove Directory
/S = Removes all directories and files in the specified directory in addition to the directory itself. Used to remove a directory tree.
Your FTP root folder will probably disappear to, just recreate it with the same name.
BH2
Open a Command Promt.
Open Explorer, where the Directory resides.
In the Command Propt type
RD /S
Then Space.
Then Drag and Drop the hackers folder into the dos prompt.
This will type out the name for you.
Hit the Enter button.
RD = Remove Directory
/S = Removes all directories and files in the specified directory in addition to the directory itself. Used to remove a directory tree.
Your FTP root folder will probably disappear to, just recreate it with the same name.
BH2
- Thread starter
- #10
TigerFlight
Technical User
Just A thought! Just a guess at it. Have you tried to change the attribues from system or hidden or read only?
Tigerflight
Everyone has their two cents worth. Lets all try to donate our two cents and maybe we all can come up with a Dollars worth of advice!!!!!
Tigerflight
Everyone has their two cents worth. Lets all try to donate our two cents and maybe we all can come up with a Dollars worth of advice!!!!!
- Thread starter
- #13
I have tried changing the attributes, but it says: "an error occurred applying attributes to the file. The system cannot find the file specified."
I will try to reboot the server, and log in in safe-mode to see if this helps any.
Any other ideas on what I can try?
I will try to reboot the server, and log in in safe-mode to see if this helps any.
Any other ideas on what I can try?
TigerFlight
Technical User
Does the folder name look like it has a space infront of it. If it does then I will have to get some info at home and post this evening. TigerFlight ![[tiger]](/data/assets/smilies/tiger.gif "[tiger] [tiger]")
Everyone has their two cents worth. Lets all try to donate our two cents and maybe we all can come up with a Dollars worth of advice!!!!!
Everyone has their two cents worth. Lets all try to donate our two cents and maybe we all can come up with a Dollars worth of advice!!!!!
TigerFlight
Technical User
I found it! The first link is to a page with a tip on how to lock folders. You have to know the long file name and if it has a _ in front of or behind it. I've used that on before.
If it is not there. Then try the other pages for some hints. If it can be done, it can be undone. Maybe they will help!!
TigerFlight
Everyone has their two cents worth. Lets all try to donate our two cents and maybe we all can come up with a Dollars worth of advice!!!!!
If it is not there. Then try the other pages for some hints. If it can be done, it can be undone. Maybe they will help!!
TigerFlight
Everyone has their two cents worth. Lets all try to donate our two cents and maybe we all can come up with a Dollars worth of advice!!!!!
- Thread starter
- #17
Thanks for all the replies, but I still cant seem to get rid of these directories. I have tried everything that you all have suggested. Does anyone have any ideas left?
It would have been alot easier if the directory would have been on a seperate disk or partition, that way I could just have formatted it. But since this is not the case...am really in a bind....
HELP>>>>>>
It would have been alot easier if the directory would have been on a seperate disk or partition, that way I could just have formatted it. But since this is not the case...am really in a bind....
HELP>>>>>>
TigerFlight
Technical User
In this link there is the e-mail address of the guy at the bottom of the page. He has written a MBR tool to let you edit the MBR. See if he will send it to you with instructions on how to use it.
TigerFlight
Everyone has their two cents worth. Lets all try to donate our two cents and maybe we all can come up with a Dollars worth of advice!!!!!
TigerFlight
Everyone has their two cents worth. Lets all try to donate our two cents and maybe we all can come up with a Dollars worth of advice!!!!!
BlackHawk2
Technical User
I REMEMBERED WHAT IT WAS YOU HAD TO DO.... cause I just had to get rid of that sruff again...
You have to use the RD /S (Directory) command from the DOS prompt. But you can not use it on the folder with an invalid character. So if your Directory structure is this:
FTP
\INBOUND
\OUTBOUND
\.@Taged
Assuming that Inbound and Outbound are valid folders and the .@Taged directory is the losers (I would not call him a hacker since he hacked nothing, just put up a hard to remove file) folder under the FTP root directory. You need to delete the Directory that has a valid name. So in this case you will need to copy the Inbound and Outbound directories to a temp location.
Then from a command prompt do a RD /S x:\xxxx\xxx\xxx\FTP
Of course the x's are your path to the root folder where the unwanted folder lies.
Hope this is clear enough.
BH2
You have to use the RD /S (Directory) command from the DOS prompt. But you can not use it on the folder with an invalid character. So if your Directory structure is this:
FTP
\INBOUND
\OUTBOUND
\.@Taged
Assuming that Inbound and Outbound are valid folders and the .@Taged directory is the losers (I would not call him a hacker since he hacked nothing, just put up a hard to remove file) folder under the FTP root directory. You need to delete the Directory that has a valid name. So in this case you will need to copy the Inbound and Outbound directories to a temp location.
Then from a command prompt do a RD /S x:\xxxx\xxx\xxx\FTP
Of course the x's are your path to the root folder where the unwanted folder lies.
Hope this is clear enough.
BH2
- Status
Similar threads
- Locked
- Question