Delayed response...been on vacation.
A friend called me with a similar problem. Warez Dudez were uploading to
funky dirnames. They couldn't figure out why all their drive space was gone
all of a sudden.
An easy way to remove the invalid filenames that the Hax0rs use for their
directories is simply to go to the command prompt and use rename on the
short file names. Find the short names with DIR /x.
So, if the long file name is " .Tagged+RoccoBoard+Team", the short on is
probably "TAGGED~1".
c> ren TAGGED~1 BADNAME1
c> rmdir BADNAME1
Then you can delete as usual.
I've also had a problem with invalid characters in some unixes long ago.
There was a flag on ls that displayed the octal representation of
non-printable characters. Then you could use the octal version to remove
with.
e2
_________________________________________________
Erik Elsasser System Engineering
CyberGuard Corporation Northeast Region
[EMAIL PROTECTED] www.cyberguard.com
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Bill Hardin
Sent: Thursday, July 05, 2001 2:21 PM
To: Charles Morin
Cc: [EMAIL PROTECTED]
Subject: Re: Hacked@!!@!!
Importance: High
Charles,
I had the same thing happen recently.
The NT Supplemental CD contains a number of POSIX utility programs.
I can send you a copy if you don't have it handy. You need "rm.exe"
After installing RM.EXE, open a Command prompt and change to your "upload"
folder.
Execute the command rm -rf " .Tagged+RoccoBoard+Team"
Be sure to include the space before the .Tagged and enclose the string in
double quotes.
The "r" option tells it to recurse the subdirectoires and the "f" option
tells it to force a yes answer (otherwise you'll be prompted for each file).
Then turn off write permissions on your ftp site.
Bill
At 12:05 PM 7/5/01, you wrote:
>I just discovered that someone has hacked into our webserver through FTP
and
>has been using our server for storage of pornsite stuff among other things.
>Below is the first logfile that appears to be the first attempt. I am not
>sure how they got around security on the Firewall and the Server but there
>are also directories that cannot be deleted and display nofile info. This
is
>a NT4 server running IIS 4.0
>
>If anyone has seen this before that can fill me in on who might have done
>this and how I can delete the directory titled NiGHtWaR I would
definitely
>appreciate it.
>
>08:24:02 172.16.2.251 [1]USER anonymous 331
>08:24:02 172.16.2.251 [1]PASS [EMAIL PROTECTED] 230
>08:47:11 172.16.2.251 [2]USER anonymous 331
>08:47:11 172.16.2.251 [2]PASS [EMAIL PROTECTED] 230
>08:47:55 172.16.2.251 [2]created Tagged 226
>08:48:26 172.16.2.251 [2]created Tagged 226
>08:50:21 172.16.2.251 [2]ABORT - 226
>08:50:21 172.16.2.251 [2]sent /_vti_pvt/_vti_cnf/Tagged 426
>08:50:44 172.16.2.251 [2]QUIT - 426
>12:49:56 172.16.2.251 [3]USER anonymous 331
>12:49:56 172.16.2.251 [3]PASS [EMAIL PROTECTED] 230
>14:07:42 172.16.2.251 [4]USER anonymous 331
>14:07:42 172.16.2.251 [4]PASS [EMAIL PROTECTED] 230
>14:08:19 172.16.2.251 [4]sent /upload/TAGGED+.txt 550
>14:08:21 172.16.2.251 [4]created TAGGED+.txt 226
>14:23:01 172.16.2.251 [4]QUIT - 257
>14:23:13 172.16.2.251 [5]USER anonymous 331
>14:23:13 172.16.2.251 [5]PASS [EMAIL PROTECTED] 230
>14:25:03 172.16.2.251 [5]sent
>/upload/.Tagged+RoccoBoard+Team/COM1/1/1mb.test 550
>
>Thank You,
>Charles Morin
>Director Information Technology
>New Horizons Computer Learning Centers
>[EMAIL PROTECTED]
>ph:805.496.9690
>fx:805.496.9780
>
>
>
>This email and any files transmitted with it are confidential and are
>intended solely for the use of the individual or entity to whom they are
>addressed. This communication may contain material protected by the
>attorney-client privilege. If you are not the intended recipient or the
>person responsible for delivering the e-mail to the intended recipient, be
>advised that you have received this e-mail in error and that any use,
>dissemination, forwarding, bringing or copying of this email is strictly
>prohibited. If you have received this e-mail in error; please immediately
>notify New Horizons front desk by telephone at 1-805-496-9690. You will be
>reimbursed for reasonable costs incurred in notifying us.
>
>_______________________________________________
>Firewalls mailing list
>[EMAIL PROTECTED]
>http://lists.gnac.net/mailman/listinfo/firewalls
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Bill Hardin [EMAIL PROTECTED]
Systems Administrator http://www.uts.com
Universal Technical Systems, Inc. 815.963.2220 x211
202 West State St. Suite 700 815.963.8884 FAX
Rockford, IL 61101
"99% of the failures come from people who have the habit of
making excuses." -- George Washington Carver
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
