Hacked, sort of
I opened up my IIS FTP server on my WinXP Pro PC to let some friends upload some music. What happens but the next day I take a look, and there are hundreds of tiny directories that have been made, with little files in them. Looks like some script kiddies had found my box, and were trying to use it as a repository for various crapulence. I summarily booted the 4 FTP users that were online, and began to delete the crap they had put on my drive. Often, a strategy used in this sort of behavior to keep the files around longer is to make directories with bad characters in the names, so that windows can’t delete them. Also, they will make directories with names like ‘aux’ and ‘com1’ which are reserved words. Windows won’t let you delete those directories either. I’m not much of a Windows guy, so it took a little bit of jerking around to get rid of those directories. If you try to delete them in Windows, you get the error “Cannot delete file: Cannot read from the source file or disk.” Which is a pain in the butt. Here was my strategy for cleaning up after the minor intrusion…
Open a command prompt, hit ctrl-alt-delete, find explorer.exe in the processes tab, and kill it. Close the task manager, and go to your command prompt. Navigate to the directory containing the little garbage files, and start deleting them. If you use “rd dirname /s /q” you will be able to get some of them right off.
If you can’t delete them that way, try listing the contents by doing “dir /x” which will list the 8 char names for the directories, use those names to delete more of them. Remember that the /s switch is for recursive, and the /q switch keeps it from asking permission each time. This method will help get rid of directories with bad names, or illegal characters in them.
If you are left with a few directories, chances are they have names like ‘aux’ or ‘com1’ or ‘com2’ or something. In that case, windows is not letting you delete them because those are reserved words. You can bypass reserved word checking by using the following syntax with the del or ‘rd’ commands: “rd \\.\driveletter:\directory” For example “rd \\.\d:\ftpshare\com1\” got rid of the com1 directory that was causing me trouble.
This Microsoft Knowledge Base article is handy, as is this article at JSI.
The final lesson is this: Never open up anonymous FTP uploading. Even just for a few hours. They’ll scan the open port, and be into your computer in a flash. Things were pretty well patched up, so its unlikely that they would have been able to actually cause any harm, but the annoyance factor that they were trying to use my computer as a storage depot is enough to make me glad they aren’t on my computer anymore. Though, I did get 5 albums uploaded by my friends. I should have just created user accounts for them though. I got lazy, and look what it got me!
8 comments Tuesday 11 Feb 2003 | Sam | Web Development
it’s amazing how quickly those lil turds can find an easy target…i had a machine setup for a friend…no guest account…but didn’t secure it too well…POW 3 days later…they had filled what little of the drive that was left…those are some cool people…i wish i had their skills…
its not hard to learn. It’s usually a bunch of 13 year olds that learned off the internet hacker pages. Your really good when you keep them out!!
hello
thanks a lot fpr this hint, it helped me out of big trouble?s on my company?s webserver…
cheers
lefti
We recently released an application specifically designed to ease deletion of folders that use reserved words like “Com1”, which are often used by FXP groups when they “tag” a server.
The link to the product is: http://www.jrtwine.com/Products/DelFXPFiles/index.htm
Various editions are available, including a reduced functionality demo version (this version has the same “deletion power” as the registered versions).
HTH…
Hard to find info this. Great, esp when having to clear up someone else’s mess. Oh I didn’t have to stop the explorer process in w2k server. Just dir /x and rd the dir’s.
Thanks,
this info can be old but it is very helpful for people like me that has no time to seach through MS site for answer. In my opinion, hacking is like stealing and all other crimes, it is always easy to destroy than to create. It doesn’t need much skill and intelligent than a 10 years old that has lot of time on hand but can not find anything meaningful to do. So they go and smash some car windows or download hacking software and just RUN it, some silly little ciminial mind and ego, pitiful.
Thanks for this hard-to-find info! Cheers!
Bj?rn
wow, this is some good information. only trouble is that I use a mac.