RE: STRANGE undeletable directory
Did you try the POSIX utility rm.exe from the resource kit? If you don't solve it soon, I've got a coworker who has solved it in the past with an old utility. I'll ask him when he gets in later. -Original Message- From: Bunting, Jeff [mailto:[EMAIL PROTECTED]] Sent: Friday, August 17, 2001 10:10 AM To: NT System Admin Issues Subject: RE: STRANGE undeletable directory Thanks! I'd tried several variations but hadn't come up with that one yet. Have you got a trick to do it via FTP? Jeff -Original Message- From: Hodson, Jason [mailto:[EMAIL PROTECTED]] Sent: Friday, August 17, 2001 9:58 AM To: NT System Admin Issues Subject: RE: STRANGE undeletable directory md \\.\c:\com1 to remove: rd \\.\c:\com1 -Original Message- From: Bunting, Jeff [mailto:[EMAIL PROTECTED]] Sent: Friday, August 17, 2001 9:36 AM To: NT System Admin Issues Subject: RE: STRANGE undeletable directory That is interesting; I can't seem to be able to create a directory that starts with com1 by any normal means. -Original Message- From: xylog [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 5:16 PM To: NT System Admin Issues Subject: Re: STRANGE undeletable directory Just FYI these log entries are from a Windows 2KS running IIS 5.0 xylog - Original Message - From: Bunting, Jeff To: NT System Admin Issues Sent: Thursday, August 16, 2001 4:34 PM Subject: RE: STRANGE undeletable directory This is what I was talking about earlier when it was suggested the server was hacked because of the funny directory names. I was speculating there might be a way to create those directories with the normal permissions given to the anonymous account in a write enabled directory. The original post about the server with the aux directory could very well have been hacked, I just wasn't sure if the presence of those directories in a public FTP folder was enough evidence to jump to that conclusion without looking at the logs. I did some experimenting and found I can't create the com1.scanned.by.zog+++/+++/ directory under IIS5. Perhaps it can be done in IIS4? I'm running Serv-U FTP on all of the IIS4 machines so I can't test it there. The +++COM2 and null.upload are legal though and can be deleted by normal means. On a related note, I've been getting some of the same people connecting to my server, some warez guys from France. I was watching their activity closely for awhile because they don't have download permissions from the uploads directory yet they continued to upload files which didn't make a lot of sense to me. I saw attempts at downloading, but nothing to indicate they were successful or coming in by other means, so I've just started banning their ip ranges because I'm tired of cleaning up all of the garbage on the ftp site. Jeff -Original Message- From: xylog [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 3:08 PM To: NT System Admin Issues Subject: Fw: STRANGE undeletable directory OK here is one with the undeletable directory. The last one was just plain dirs: #Fields: time c-ip cs-method cs-uri-stem sc-status 07:53:08 217.128.73.112 [10]USER anonymous 331 07:53:08 217.128.73.112 [10]PASS [EMAIL PROTECTED] 230 07:53:32 217.128.73.112 [11]USER anonymous 331 07:53:32 217.128.73.112 [11]PASS [EMAIL PROTECTED] 230 07:54:29 217.128.73.112 [11]MKD Tagged+By+Gru+++/+++/ 257 07:54:42 217.128.73.112 [11]MKD Tagged+By+Gru+++/+++Board/ 257 07:55:14 217.128.73.112 [11]MKD com1.scanned.by.zog+++/+++/ 257 NOTICE com1 07:55:31 217.128.73.112 [11]MKD com1.scanned.by.zog+++/+++COM2/ 257 COM2 07:55:54 217.128.73.112 [11]MKD null.upload.by.derfy+++/+++/ 257 dont know what this null thingy is 07:56:11 217.128.73.112 [11]MKD null.upload.by.derfy+++/+++COM1/ 257 07:56:29 217.128.73.112 [11]MKD 07.27.01Reel_Fishing_Wild_DC-ECHELON 257 xylog - Original Message - From: xylog To: NT System Admin Issues Sent: Thursday, August 16, 2001 2:58 PM Subject: Re: STRANGE undeletable directory I had some bozo do this ^#@ to one of my boxes, here is the log entires: 12:35:46 193.253.37.219 [4]USER anonymous 331 12:35:46 193.253.37.219 [4]PASS [EMAIL PROTECTED] 230 12:35:50 193.253.37.219 [4]MKD 010626143627p 257 12:35:50 193.253.37.219 [4]RMD 010626143627p 250 20:47:30 193.253.37.219 [5]USER anonymous 331 20:47:30 193.253.37.219 [5]PASS [EMAIL PROTECTED] 230 20:47:57 193.253.37.219 [5]MKD /.tmp 257 20:47:59 193.253.37.219 [5]MKD /.tmp/Tag++Scan 257 20:48:02 193.253.37.219 [5]MKD /.tmp/Tag++Scan/Genetic+SPECIE 257 20:48:04 193.253.37.219 [5]MKD /.tmp/Tag++Scan/Genetic+SPECIE/for+DZ 257 20:48:23 193.253.37.219 [5]QUIT - 257 You set the log settings from the IIS management console snap-in in the FTP site properties page. xylog - Original Message - From: Bunting, Jeff To: NT System Admin Issues Sent: Thursday, August 16, 2001 1:19 PM Subject: RE: STRANGE undeletable directory What options need to be ticked to record the FTP commands in IIS? The settings show
RE: STRANGE undeletable directory
No, you misunderstood; I'm not trying to remove a directory. I was trying to figure out *how* they are created. If you look at the log xylog posted: 07:55:14 217.128.73.112 [11]MKD com1.scanned.by.zog+++/+++/ 257 it appears an anonymous FTP user created this directory. I was experimenting on a couple of machines here but couldn't get them to create a directory that starts with com1. Jason showed me how to do it from a command line, but that doesn't work via FTP. I tried some variations on it but haven't hit on anything yet. Jeff -Original Message- From: Kevin Lundy [mailto:[EMAIL PROTECTED]] Sent: Friday, August 17, 2001 10:20 AM To: NT System Admin Issues Subject: RE: STRANGE undeletable directory Did you try the POSIX utility rm.exe from the resource kit? If you don't solve it soon, I've got a coworker who has solved it in the past with an old utility. I'll ask him when he gets in later. -Original Message- From: Bunting, Jeff [mailto:[EMAIL PROTECTED]] Sent: Friday, August 17, 2001 10:10 AM To: NT System Admin Issues Subject: RE: STRANGE undeletable directory Thanks! I'd tried several variations but hadn't come up with that one yet. Have you got a trick to do it via FTP? Jeff -Original Message- From: Hodson, Jason [mailto:[EMAIL PROTECTED]] Sent: Friday, August 17, 2001 9:58 AM To: NT System Admin Issues Subject: RE: STRANGE undeletable directory md \\.\c:\com1 to remove: rd \\.\c:\com1 -Original Message- From: Bunting, Jeff [mailto:[EMAIL PROTECTED]] Sent: Friday, August 17, 2001 9:36 AM To: NT System Admin Issues Subject: RE: STRANGE undeletable directory That is interesting; I can't seem to be able to create a directory that starts with com1 by any normal means. -Original Message- From: xylog [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 5:16 PM To: NT System Admin Issues Subject: Re: STRANGE undeletable directory Just FYI these log entries are from a Windows 2KS running IIS 5.0 xylog - Original Message - From: Bunting, Jeff To: NT System Admin Issues Sent: Thursday, August 16, 2001 4:34 PM Subject: RE: STRANGE undeletable directory This is what I was talking about earlier when it was suggested the server was hacked because of the funny directory names. I was speculating there might be a way to create those directories with the normal permissions given to the anonymous account in a write enabled directory. The original post about the server with the aux directory could very well have been hacked, I just wasn't sure if the presence of those directories in a public FTP folder was enough evidence to jump to that conclusion without looking at the logs. I did some experimenting and found I can't create the com1.scanned.by.zog+++/+++/ directory under IIS5. Perhaps it can be done in IIS4? I'm running Serv-U FTP on all of the IIS4 machines so I can't test it there. The +++COM2 and null.upload are legal though and can be deleted by normal means. On a related note, I've been getting some of the same people connecting to my server, some warez guys from France. I was watching their activity closely for awhile because they don't have download permissions from the uploads directory yet they continued to upload files which didn't make a lot of sense to me. I saw attempts at downloading, but nothing to indicate they were successful or coming in by other means, so I've just started banning their ip ranges because I'm tired of cleaning up all of the garbage on the ftp site. Jeff -Original Message- From: xylog [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 3:08 PM To: NT System Admin Issues Subject: Fw: STRANGE undeletable directory OK here is one with the undeletable directory. The last one was just plain dirs: #Fields: time c-ip cs-method cs-uri-stem sc-status 07:53:08 217.128.73.112 [10]USER anonymous 331 07:53:08 217.128.73.112 [10]PASS [EMAIL PROTECTED] 230 07:53:32 217.128.73.112 [11]USER anonymous 331 07:53:32 217.128.73.112 [11]PASS [EMAIL PROTECTED] 230 07:54:29 217.128.73.112 [11]MKD Tagged+By+Gru+++/+++/ 257 07:54:42 217.128.73.112 [11]MKD Tagged+By+Gru+++/+++Board/ 257 07:55:14 217.128.73.112 [11]MKD com1.scanned.by.zog+++/+++/ 257 NOTICE com1 07:55:31 217.128.73.112 [11]MKD com1.scanned.by.zog+++/+++COM2/ 257 COM2 07:55:54 217.128.73.112 [11]MKD null.upload.by.derfy+++/+++/ 257 dont know what this null thingy is 07:56:11 217.128.73.112 [11]MKD null.upload.by.derfy+++/+++COM1/ 257 07:56:29 217.128.73.112 [11]MKD 07.27.01Reel_Fishing_Wild_DC-ECHELON 257 xylog - Original Message - From: xylog To: NT System Admin Issues Sent: Thursday, August 16, 2001 2:58 PM Subject: Re: STRANGE undeletable directory I had some bozo do this ^#@ to one of my boxes, here is the log entires: 12:35:46 193.253.37.219 [4]USER anonymous 331 12:35:46 193.253.37.219 [4]PASS [EMAIL PROTECTED] 230 12:35:50 193.253.37.219 [4]MKD 010626143627p 257 12:35:50 193.253.37.219 [4]RMD 010626143627p
RE: STRANGE undeletable directory
Ahh, I see. I'm betting it's via some special hacker ftp client. -Original Message- From: Bunting, Jeff [mailto:[EMAIL PROTECTED]] Sent: Friday, August 17, 2001 10:32 AM To: NT System Admin Issues Subject: RE: STRANGE undeletable directory No, you misunderstood; I'm not trying to remove a directory. I was trying to figure out *how* they are created. If you look at the log xylog posted: 07:55:14 217.128.73.112 [11]MKD com1.scanned.by.zog+++/+++/ 257 it appears an anonymous FTP user created this directory. I was experimenting on a couple of machines here but couldn't get them to create a directory that starts with com1. Jason showed me how to do it from a command line, but that doesn't work via FTP. I tried some variations on it but haven't hit on anything yet. Jeff -Original Message- From: Kevin Lundy [mailto:[EMAIL PROTECTED]] Sent: Friday, August 17, 2001 10:20 AM To: NT System Admin Issues Subject: RE: STRANGE undeletable directory Did you try the POSIX utility rm.exe from the resource kit? If you don't solve it soon, I've got a coworker who has solved it in the past with an old utility. I'll ask him when he gets in later. -Original Message- From: Bunting, Jeff [mailto:[EMAIL PROTECTED]] Sent: Friday, August 17, 2001 10:10 AM To: NT System Admin Issues Subject: RE: STRANGE undeletable directory Thanks! I'd tried several variations but hadn't come up with that one yet. Have you got a trick to do it via FTP? Jeff -Original Message- From: Hodson, Jason [mailto:[EMAIL PROTECTED]] Sent: Friday, August 17, 2001 9:58 AM To: NT System Admin Issues Subject: RE: STRANGE undeletable directory md \\.\c:\com1 to remove: rd \\.\c:\com1 -Original Message- From: Bunting, Jeff [mailto:[EMAIL PROTECTED]] Sent: Friday, August 17, 2001 9:36 AM To: NT System Admin Issues Subject: RE: STRANGE undeletable directory That is interesting; I can't seem to be able to create a directory that starts with com1 by any normal means. -Original Message- From: xylog [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 5:16 PM To: NT System Admin Issues Subject: Re: STRANGE undeletable directory Just FYI these log entries are from a Windows 2KS running IIS 5.0 xylog - Original Message - From: Bunting, Jeff To: NT System Admin Issues Sent: Thursday, August 16, 2001 4:34 PM Subject: RE: STRANGE undeletable directory This is what I was talking about earlier when it was suggested the server was hacked because of the funny directory names. I was speculating there might be a way to create those directories with the normal permissions given to the anonymous account in a write enabled directory. The original post about the server with the aux directory could very well have been hacked, I just wasn't sure if the presence of those directories in a public FTP folder was enough evidence to jump to that conclusion without looking at the logs. I did some experimenting and found I can't create the com1.scanned.by.zog+++/+++/ directory under IIS5. Perhaps it can be done in IIS4? I'm running Serv-U FTP on all of the IIS4 machines so I can't test it there. The +++COM2 and null.upload are legal though and can be deleted by normal means. On a related note, I've been getting some of the same people connecting to my server, some warez guys from France. I was watching their activity closely for awhile because they don't have download permissions from the uploads directory yet they continued to upload files which didn't make a lot of sense to me. I saw attempts at downloading, but nothing to indicate they were successful or coming in by other means, so I've just started banning their ip ranges because I'm tired of cleaning up all of the garbage on the ftp site. Jeff -Original Message- From: xylog [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 3:08 PM To: NT System Admin Issues Subject: Fw: STRANGE undeletable directory OK here is one with the undeletable directory. The last one was just plain dirs: #Fields: time c-ip cs-method cs-uri-stem sc-status 07:53:08 217.128.73.112 [10]USER anonymous 331 07:53:08 217.128.73.112 [10]PASS [EMAIL PROTECTED] 230 07:53:32 217.128.73.112 [11]USER anonymous 331 07:53:32 217.128.73.112 [11]PASS [EMAIL PROTECTED] 230 07:54:29 217.128.73.112 [11]MKD Tagged+By+Gru+++/+++/ 257 07:54:42 217.128.73.112 [11]MKD Tagged+By+Gru+++/+++Board/ 257 07:55:14 217.128.73.112 [11]MKD com1.scanned.by.zog+++/+++/ 257 NOTICE com1 07:55:31 217.128.73.112 [11]MKD com1.scanned.by.zog+++/+++COM2/ 257 COM2 07:55:54 217.128.73.112 [11]MKD null.upload.by.derfy+++/+++/ 257 dont know what this null thingy is 07:56:11 217.128.73.112 [11]MKD null.upload.by.derfy+++/+++COM1/ 257 07:56:29 217.128.73.112 [11]MKD 07.27.01Reel_Fishing_Wild_DC-ECHELON 257 xylog - Original Message - From: xylog To: NT System Admin Issues Sent: Thursday, August 16, 2001 2:58 PM Subject: Re: STRANGE undeletable directory I had some bozo do
RE: STRANGE undeletable directory
Is perl is installed on the said IIS server then there is a possibility. shankar -- From: Bunting, Jeff[SMTP:[EMAIL PROTECTED]] Reply To: NT System Admin Issues Sent: Friday, August 17, 2001 8:01 PM To: NT System Admin Issues Subject: RE: STRANGE undeletable directory No, you misunderstood; I'm not trying to remove a directory. I was trying to figure out *how* they are created. If you look at the log xylog posted: 07:55:14 217.128.73.112 [11]MKD com1.scanned.by.zog+++/+++/ 257 it appears an anonymous FTP user created this directory. I was experimenting on a couple of machines here but couldn't get them to create a directory that starts with com1. Jason showed me how to do it from a command line, but that doesn't work via FTP. I tried some variations on it but haven't hit on anything yet. Jeff -Original Message- From: Kevin Lundy [mailto:[EMAIL PROTECTED]] Sent: Friday, August 17, 2001 10:20 AM To: NT System Admin Issues Subject: RE: STRANGE undeletable directory Did you try the POSIX utility rm.exe from the resource kit? If you don't solve it soon, I've got a coworker who has solved it in the past with an old utility. I'll ask him when he gets in later. -Original Message- From: Bunting, Jeff [mailto:[EMAIL PROTECTED]] Sent: Friday, August 17, 2001 10:10 AM To: NT System Admin Issues Subject: RE: STRANGE undeletable directory Thanks! I'd tried several variations but hadn't come up with that one yet. Have you got a trick to do it via FTP? Jeff -Original Message- From: Hodson, Jason [mailto:[EMAIL PROTECTED]] Sent: Friday, August 17, 2001 9:58 AM To: NT System Admin Issues Subject: RE: STRANGE undeletable directory md \\.\c:\com1 to remove: rd \\.\c:\com1 -Original Message- From: Bunting, Jeff [mailto:[EMAIL PROTECTED]] Sent: Friday, August 17, 2001 9:36 AM To: NT System Admin Issues Subject: RE: STRANGE undeletable directory That is interesting; I can't seem to be able to create a directory that starts with com1 by any normal means. -Original Message- From: xylog [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 5:16 PM To: NT System Admin Issues Subject: Re: STRANGE undeletable directory Just FYI these log entries are from a Windows 2KS running IIS 5.0 xylog - Original Message - From: Bunting, Jeff To: NT System Admin Issues Sent: Thursday, August 16, 2001 4:34 PM Subject: RE: STRANGE undeletable directory This is what I was talking about earlier when it was suggested the server was hacked because of the funny directory names. I was speculating there might be a way to create those directories with the normal permissions given to the anonymous account in a write enabled directory. The original post about the server with the aux directory could very well have been hacked, I just wasn't sure if the presence of those directories in a public FTP folder was enough evidence to jump to that conclusion without looking at the logs. I did some experimenting and found I can't create the com1.scanned.by.zog+++/+++/ directory under IIS5. Perhaps it can be done in IIS4? I'm running Serv-U FTP on all of the IIS4 machines so I can't test it there. The +++COM2 and null.upload are legal though and can be deleted by normal means. On a related note, I've been getting some of the same people connecting to my server, some warez guys from France. I was watching their activity closely for awhile because they don't have download permissions from the uploads directory yet they continued to upload files which didn't make a lot of sense to me. I saw attempts at downloading, but nothing to indicate they were successful or coming in by other means, so I've just started banning their ip ranges because I'm tired of cleaning up all of the garbage on the ftp site. Jeff -Original Message- From: xylog [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 3:08 PM To: NT System Admin Issues Subject: Fw: STRANGE undeletable directory OK here is one with the undeletable directory. The last one was just plain dirs: #Fields: time c-ip cs-method cs-uri-stem sc-status 07:53:08 217.128.73.112 [10]USER anonymous 331 07:53:08 217.128.73.112 [10]PASS [EMAIL PROTECTED] 230 07:53:32 217.128.73.112 [11]USER anonymous 331 07:53:32 217.128.73.112 [11]PASS [EMAIL PROTECTED] 230 07:54:29 217.128.73.112 [11]MKD Tagged+By+Gru+++/+++/ 257 07:54:42 217.128.73.112 [11]MKD Tagged+By+Gru+++/+++Board/ 257 07:55:14 217.128.73.112 [11]MKD com1.scanned.by.zog+++/+++/ 257 NOTICE com1 07:55:31 217.128.73.112 [11]MKD com1.scanned.by.zog+++/+++COM2/ 257 COM2 07:55:54 217.128.73.112 [11]MKD null.upload.by.derfy+++/+++/ 257 dont know what this null thingy is 07:56:11 217.128.73.112 [11]MKD null.upload.by.derfy+++/+++COM1/ 257 07:56:29 217.128.73.112 [11]MKD
STRANGE undeletable directory
Oke guys i have the following question. A customer has his own w2ks box. Now he asked me to look at his machine because he had a problem I logged in and looked at the problem. The first thing i saw that here was an ftp abuser. So i kicked him out. But when i was going to delete the directories he made I stumbled upon the strangest problem i've ever seen since a long time. He made a map in the login directory that looked like this: pub--- | Com1-- | Pub | Aux Aux (yes two times an identical directory) It says The parameter is incorrect when i try to delete it. Looked at the settings and everything. Still undeletable. Any ideas guys. Met vriendelijke groet, M. Eindhoven NT System Administrator Bevelander Internet Services B.V. Folkstoneweg 10 1118 LM SCHIPHOL Zuidoost Tel : 020 40 53 900 Fax : 020 40 53 910 http://www.bevelander.nl = This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any distribution, copying or use of this communication or the information in it is strictly prohibited. If you have received this communication in error, please notify the sender immediately and then destroy any copies of it. = http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: STRANGE undeletable directory
I dunno, cant rename cant move can do shit! Very strange At 09:10 AM 8/16/2001 -0500, you wrote: Is it because Com1? -Original Message- From: Martijn Eindhoven [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 09:03 To: NT System Admin Issues Subject: STRANGE undeletable directory Oke guys i have the following question. A customer has his own w2ks box. Now he asked me to look at his machine because he had a problem I logged in and looked at the problem. The first thing i saw that here was an ftp abuser. So i kicked him out. But when i was going to delete the directories he made I stumbled upon the strangest problem i've ever seen since a long time. He made a map in the login directory that looked like this: pub--- | Com1-- | Pub | Aux Aux (yes two times an identical directory) It says The parameter is incorrect when i try to delete it. Looked at the settings and everything. Still undeletable. Any ideas guys. Met vriendelijke groet, M. Eindhoven NT System Administrator Bevelander Internet Services B.V. Folkstoneweg 10 1118 LM SCHIPHOL Zuidoost Tel : 020 40 53 900 Fax : 020 40 53 910 http://www.bevelander.nl = This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any distribution, copying or use of this communication or the information in it is strictly prohibited. If you have received this communication in error, please notify the sender immediately and then destroy any copies of it. = http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm Met vriendelijke groet, M. Eindhoven NT System Administrator Bevelander Internet Services B.V. Folkstoneweg 10 1118 LM SCHIPHOL Zuidoost Tel : 020 40 53 900 Fax : 020 40 53 910 http://www.bevelander.nl = This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any distribution, copying or use of this communication or the information in it is strictly prohibited. If you have received this communication in error, please notify the sender immediately and then destroy any copies of it. = http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
Re: STRANGE undeletable directory
Have you tried logging in via FTP, and deleting with FTP rather than windows? Bri Oke guys i have the following question. A customer has his own w2ks box. Now he asked me to look at his machine because he had a problem I logged in and looked at the problem. The first thing i saw that here was an ftp abuser. So i kicked him out. But when i was going to delete the directories he made I stumbled upon the strangest problem i've ever seen since a long time. He made a map in the login directory that looked like this: pub--- | Com1-- | Pub | Aux Aux (yes two times an identical directory) It says The parameter is incorrect when i try to delete it. Looked at the settings and everything. Still undeletable. Any ideas guys. Met vriendelijke groet, M. Eindhoven NT System Administrator Bevelander Internet Services B.V. Folkstoneweg 10 1118 LM SCHIPHOL Zuidoost Tel : 020 40 53 900 Fax : 020 40 53 910 http://www.bevelander.nl = This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any distribution, copying or use of this communication or the information in it is strictly prohibited. If you have received this communication in error, please notify the sender immediately and then destroy any copies of it. = http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm Met vriendelijke groet, M. Eindhoven NT System Administrator Bevelander Internet Services B.V. Folkstoneweg 10 1118 LM SCHIPHOL Zuidoost Tel : 020 40 53 900 Fax : 020 40 53 910 http://www.bevelander.nl = This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any distribution, copying or use of this communication or the information in it is strictly prohibited. If you have received this communication in error, please notify the sender immediately and then destroy any copies of it. = http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: STRANGE undeletable directory
Jup deleting it from the command line gave the same error: The parameter is incorrect At 10:19 AM 8/16/2001 -0400, you wrote: Did you try deleting it from the command line? -Original Message- From: Martijn Eindhoven [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 10:13 AM To: NT System Admin Issues Subject: RE: STRANGE undeletable directory I dunno, cant rename cant move can do shit! Very strange At 09:10 AM 8/16/2001 -0500, you wrote: Is it because Com1? -Original Message- From: Martijn Eindhoven [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 09:03 To: NT System Admin Issues Subject: STRANGE undeletable directory Oke guys i have the following question. A customer has his own w2ks box. Now he asked me to look at his machine because he had a problem I logged in and looked at the problem. The first thing i saw that here was an ftp abuser. So i kicked him out. But when i was going to delete the directories he made I stumbled upon the strangest problem i've ever seen since a long time. He made a map in the login directory that looked like this: pub--- | Com1-- | Pub | Aux Aux (yes two times an identical directory) It says The parameter is incorrect when i try to delete it. Looked at the settings and everything. Still undeletable. Any ideas guys. Met vriendelijke groet, M. Eindhoven NT System Administrator Bevelander Internet Services B.V. Folkstoneweg 10 1118 LM SCHIPHOL Zuidoost Tel : 020 40 53 900 Fax : 020 40 53 910 http://www.bevelander.nl = This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any distribution, copying or use of this communication or the information in it is strictly prohibited. If you have received this communication in error, please notify the sender immediately and then destroy any copies of it. = http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm Met vriendelijke groet, M. Eindhoven NT System Administrator Bevelander Internet Services B.V. Folkstoneweg 10 1118 LM SCHIPHOL Zuidoost Tel : 020 40 53 900 Fax : 020 40 53 910 http://www.bevelander.nl = This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any distribution, copying or use of this communication or the information in it is strictly prohibited. If you have received this communication in error, please notify the sender immediately and then destroy any copies of it. = http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm Met vriendelijke groet, M. Eindhoven NT System Administrator Bevelander Internet Services B.V. Folkstoneweg 10 1118 LM SCHIPHOL Zuidoost Tel : 020 40 53 900 Fax : 020 40 53 910 http://www.bevelander.nl = This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any distribution, copying or use of this communication or the information in it is strictly prohibited. If you have received this communication in error, please notify the sender immediately and then destroy any copies of it. = http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: STRANGE undeletable directory
can
you change attributes from the command line?
-Original Message-From: Martijn Eindhoven
[mailto:[EMAIL PROTECTED]]Sent: Thursday, August 16, 2001
09:17To: NT System Admin IssuesSubject: RE: STRANGE
undeletable directoryJup deleting it from the command
line gave the same error: The parameter is incorrectAt 10:19
AM 8/16/2001 -0400, you wrote:
Did you try deleting it from the command line?
-Original Message-
From: Martijn Eindhoven [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 16, 2001 10:13 AM
To: NT System Admin Issues
Subject: RE: STRANGE undeletable directory
I dunno, cant rename cant move can do shit!
Very strange
At 09:10 AM 8/16/2001 -0500, you wrote:
Is it because "Com1"?
-Original Message-
From: Martijn Eindhoven [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 16, 2001 09:03
To: NT System Admin Issues
Subject: STRANGE undeletable directory
Oke guys i have the following question.
A customer has his own w2ks box. Now he asked me to look at his
machine because he had a problem
I logged in and looked at the problem. The first thing i saw that
here was an ftp abuser. So i kicked him out.
But when i was going to delete the directories he made I stumbled
upon the strangest problem i've ever seen since a long
time.
He made a map in the login directory that looked like this:
pub---
|
Com1--
|
Pub
|
Aux
Aux (yes two times an identical directory)
It says "The parameter is incorrect" when i try to delete it. Looked
at the settings and everything. Still undeletable.
Any ideas guys.
Met vriendelijke groet,
M. Eindhoven
NT System Administrator
Bevelander Internet Services B.V.
Folkstoneweg 10
1118 LM SCHIPHOL Zuidoost
Tel : 020 40 53 900
Fax : 020 40 53 910
http://www.bevelander.nl
=
This communication contains information which is confidential and
may also be privileged. It is for the exclusive use of the
intended recipient(s). If you are not the intended recipient(s),
please note that any distribution, copying or use of this
communication or the information in it is strictly prohibited.
If you have received this communication in error, please notify
the sender immediately and then destroy any copies of it.
=
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htmMet
vriendelijke groet,M. EindhovenNT System
AdministratorBevelander Internet Services B.V. Folkstoneweg 10
1118 LM SCHIPHOL Zuidoost Tel : 020 40 53 900 Fax : 020 40 53 910
http://www.bevelander.nl=
This communication contains information which is confidential and may
also be privileged. It is for the exclusive use of the intended
recipient(s). If you are not the intended recipient(s), please note that
any distribution, copying or use of this communication or the information
in it is strictly prohibited. If you have received this communication in
error, please notify the sender immediately and then destroy any copies of
it. =http://www.sunbelt-software.com/ntsysadmin_list_charter.htmhttp://www.sunbelt-software.com/ntsysadmin_list_charter.htm
Met vriendelijke groet,M. EindhovenNT System
AdministratorBevelander Internet Services B.V. Folkstoneweg 10
1118 LM SCHIPHOL Zuidoost Tel : 020 40 53 900 Fax : 020 40 53 910
http://www.bevelander.nl=
This communication contains information which is confidential and may
also be privileged. It is for the exclusive use of the intended
recipient(s). If you are not the intended recipient(s), please note that
any distribution, copying or use of this communication or the information
in it is strictly prohibited. If you have received this communication in
error, please notify the sender immediately and then destroy any copies of
it.
=http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: STRANGE undeletable directory
Check this KB out: http://support.microsoft.com/support/kb/articles/Q120/7/16.asp Jeff -Original Message-From: Martijn Eindhoven [mailto:[EMAIL PROTECTED]]Sent: Thursday, August 16, 2001 10:03 AMTo: NT System Admin IssuesSubject: STRANGE undeletable directoryOke guys i have the following question.A customer has his own w2ks box. Now he asked me to look at his machine because he had a problemI logged in and looked at the problem. The first thing i saw that here was an ftp abuser. So i kicked him out.But when i was going to delete the directories he made I stumbled upon the strangest problem i've ever seen since a long time.He made a map in the login directory that looked like this:pub--- | Com1-- | Pub | Aux Aux (yes two times an identical directory)It says "The parameter is incorrect" when i try to delete it. Looked at the settings and everything. Still undeletable.Any ideas guys. Met vriendelijke groet,M. EindhovenNT System AdministratorBevelander Internet Services B.V. Folkstoneweg 10 1118 LM SCHIPHOL Zuidoost Tel : 020 40 53 900 Fax : 020 40 53 910 http://www.bevelander.nl= This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any distribution, copying or use of this communication or the information in it is strictly prohibited. If you have received this communication in error, please notify the sender immediately and then destroy any copies of it. =http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: STRANGE undeletable directory
Good one didnt think of that going to try it now At 09:36 AM 8/16/2001 -0500, you wrote: can you change attributes from the command line? -Original Message- From: Martijn Eindhoven [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 09:17 To: NT System Admin Issues Subject: RE: STRANGE undeletable directory Jup deleting it from the command line gave the same error: The parameter is incorrect At 10:19 AM 8/16/2001 -0400, you wrote: Did you try deleting it from the command line? -Original Message- From: Martijn Eindhoven [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 10:13 AM To: NT System Admin Issues Subject: RE: STRANGE undeletable directory I dunno, cant rename cant move can do shit! Very strange At 09:10 AM 8/16/2001 -0500, you wrote: Is it because Com1? -Original Message- From: Martijn Eindhoven [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 09:03 To: NT System Admin Issues Subject: STRANGE undeletable directory Oke guys i have the following question. A customer has his own w2ks box. Now he asked me to look at his machine because he had a problem I logged in and looked at the problem. The first thing i saw that here was an ftp abuser. So i kicked him out. But when i was going to delete the directories he made I stumbled upon the strangest problem i've ever seen since a long time. He made a map in the login directory that looked like this: pub--- | Com1-- | Pub | Aux Aux (yes two times an identical directory) It says The parameter is incorrect when i try to delete it. Looked at the settings and everything. Still undeletable. Any ideas guys. Met vriendelijke groet, M. Eindhoven NT System Administrator Bevelander Internet Services B.V. Folkstoneweg 10 1118 LM SCHIPHOL Zuidoost Tel : 020 40 53 900 Fax : 020 40 53 910 http://www.bevelander.nl = This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any distribution, copying or use of this communication or the information in it is strictly prohibited. If you have received this communication in error, please notify the sender immediately and then destroy any copies of it. = http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm Met vriendelijke groet, M. Eindhoven NT System Administrator Bevelander Internet Services B.V. Folkstoneweg 10 1118 LM SCHIPHOL Zuidoost Tel : 020 40 53 900 Fax : 020 40 53 910 http://www.bevelander.nl = This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any distribution, copying or use of this communication or the information in it is strictly prohibited. If you have received this communication in error, please notify the sender immediately and then destroy any copies of it. = http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm Met vriendelijke groet, M. Eindhoven NT System Administrator Bevelander Internet Services B.V. Folkstoneweg 10 1118 LM SCHIPHOL Zuidoost Tel : 020 40 53 900 Fax : 020 40 53 910 http://www.bevelander.nl = This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any distribution, copying or use of this communication or the information in it is strictly prohibited. If you have received this communication in error, please notify the sender immediately and then destroy any copies of it. = http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm Met vriendelijke groet, M. Eindhoven NT System Administrator Bevelander Internet Services B.V. Folkstoneweg 10 1118 LM SCHIPHOL Zuidoost Tel : 020 40 53 900 Fax : 020 40 53 910 http://www.bevelander.nl = This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any distribution, copying or use of this communication or the information in it is strictly prohibited. If you have received this communication in error, please notify the sender immediately
RE: STRANGE undeletable directory
Title: Message Actually, doesn't require any knowledge at all. This is a simple script kiddie attack. He was probably using the exploited FTP site as storage for warez, or as an fxp site. While this attack itself is not exemplary of root attack, the fact that the server wasn't configured correctly to begin with, leads one to assume that other services were vulnerable to attack. -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 10:41 AM To: NT System Admin Issues Subject: RE: STRANGE undeletable directory There you go. I was afraid of that. This guy had some knowledge. He built a sophisticated directory structure that he KNEW would be hard to get rid of. -Original Message- From: Martijn Eindhoven [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 8:32 AM To: NT System Admin Issues Subject: RE: STRANGE undeletable directory Well i think i found it and the customer isnt going to be happy. I think someone backdoored him. So shutdown :) I'll give you an update status in a day or 2 Thanks for al the help guys. At 08:13 AM 8/16/2001 -0700, you wrote: Better question: What would make you assume he didn't? -Original Message- From: Bunting, Jeff [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 8:02 AM To: NT System Admin Issues Subject: RE: STRANGE undeletable directory Assuming the machine was configured for anonymous logins, what would make you believe he did anything else he wasn't allowed to do? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 10:54 AM To: NT System Admin Issues Subject: RE: STRANGE undeletable directory Of course you still need to rebuild the box now. Who knows what else this guy did to it. -Original Message- From: Martijn Eindhoven [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 7:37 AM To: NT System Admin Issues Subject: RE: STRANGE undeletable directory Good one didnt think of that going to try it now At 09:36 AM 8/16/2001 -0500, you wrote: can you change attributes from the command line? -Original Message- From: Martijn Eindhoven [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 09:17 To: NT System Admin Issues Subject: RE: STRANGE undeletable directory Jup deleting it from the command line gave the same error: The parameter is incorrect At 10:19 AM 8/16/2001 -0400, you wrote: Did you try deleting it from the command line? -Original Message- From: Martijn Eindhoven [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 10:13 AM To: NT System Admin Issues Subject: RE: STRANGE undeletable directory I dunno, cant rename cant move can do shit! Very strange At 09:10 AM 8/16/2001 -0500, you wrote: Is it because Com1? -Original Message- From: Martijn Eindhoven [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 09:03 To: NT System Admin Issues Subject: STRANGE undeletable directory Oke guys i have the following question. A customer has his own w2ks box. Now he asked me to look at his machine because he had a problem I logged in and looked at the problem. The first thing i saw that here was an ftp abuser. So i kicked him out. But when i was going to delete the directories he made I stumbled upon the strangest problem i've ever seen since a long time. He made a map in the login directory that looked like this: pub--- | Com1-- | Pub | Aux Aux (yes two times an identical directory) It says The parameter is incorrect when i try to delete it. Looked at the settings and everything. Still undeletable. Any ideas guys. Met vriendelijke groet, M. Eindhoven NT System Administrator Bevelander Internet Services B.V. Folkstoneweg 10 1118 LM SCHIPHOL Zuidoost Tel : 020 40 53 900 Fax : 020 40 53 910 http://www.bevelander.nl = This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any distribution, copying or use of this communication or the information in it is strictly prohibited. If you have received this communication in error, please notify the sender immediately and then destroy any copies of it. = http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm Met vriendelijke groet, M. Eindhoven NT System Administrator Bevelander Internet Services B.V. Folkstoneweg 10 1118 LM SCHIPHOL Zuidoost Tel : 020 40 53 900 Fax : 020 40 53 910 http://www.bevelander.nl = This communication contains information which
RE: STRANGE undeletable directory
Title: Message I knew how to change the log settings, I wasn't sure which of the properties recorded the FTP commands such as MKD. I just did a little experimenting and found it is the Method (cs-method) property. -Original Message-From: xylog [mailto:[EMAIL PROTECTED]]Sent: Thursday, August 16, 2001 2:58 PMTo: NT System Admin IssuesSubject: Re: STRANGE undeletable directory I had some bozo do this ^#@ to one of my boxes, here is the log entires: 12:35:46 193.253.37.219 [4]USER anonymous 33112:35:46 193.253.37.219 [4]PASS [EMAIL PROTECTED] 23012:35:50 193.253.37.219 [4]MKD 010626143627p 25712:35:50 193.253.37.219 [4]RMD 010626143627p 25020:47:30 193.253.37.219 [5]USER anonymous 33120:47:30 193.253.37.219 [5]PASS [EMAIL PROTECTED] 23020:47:57 193.253.37.219 [5]MKD /.tmp 25720:47:59 193.253.37.219 [5]MKD /.tmp/Tag++Scan 25720:48:02 193.253.37.219 [5]MKD /.tmp/Tag++Scan/Genetic+SPECIE 25720:48:04 193.253.37.219 [5]MKD /.tmp/Tag++Scan/Genetic+SPECIE/for+DZ 25720:48:23 193.253.37.219 [5]QUIT - 257 You set the log settings from the IIS management console snap-in in the FTP site properties page. xylog - Original Message - From: Bunting, Jeff To: NT System Admin Issues Sent: Thursday, August 16, 2001 1:19 PM Subject: RE: STRANGE undeletable directory What options need to be ticked to record the FTP commands in IIS? The settings show the same categories as the WWW logs which don't intuitively apply to FTP. The deaults options just show the name of the file created. -Original Message-From: xylog [mailto:[EMAIL PROTECTED]]Sent: Thursday, August 16, 2001 1:10 PMTo: NT System Admin IssuesSubject: Re: STRANGE undeletable directory Look in your FTP logs you will see exactly the command used to create those dirs. xylog - Original Message - From: Bunting, Jeff To: NT System Admin Issues Sent: Thursday, August 16, 2001 12:15 PM Subject: RE: STRANGE undeletable directory Because anonymous users have permission to create directories and this fellow created directories. I wasn't trying to imply the machinedefinitely wasn't hacked, but I've seen this question arise before and always in an FTP directory. I was wondering if there is some way to create these directories with reserved words via normal FTP or HTTP commands. If there is, then the anonymous user would have permission to create those directories again. Jeff -Original Message-From: Martin Blackstone [mailto:[EMAIL PROTECTED]]Sent: Thursday, August 16, 2001 11:14 AMTo: NT System Admin IssuesSubject: RE: STRANGE undeletable directory Better question: What would make you assume he didn't? -Original Message-From: Bunting, Jeff [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 8:02 AMTo: NT System Admin IssuesSubject: RE: STRANGE undeletable directory Assuming the machine was configured for anonymous logins, what would make you believe he did anything else he wasn't allowed to do? -Original Message-From: Martin Blackstone [mailto:[EMAIL PROTECTED]]Sent: Thursday, August 16, 2001 10:54 AMTo: NT System Admin IssuesSubject: RE: STRANGE undeletable directory Of course you still need to rebuild the box now. Who knows what else this guy did to it. -Original Message-From: Martijn Eindhoven [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 7:37 AMTo: NT System Admin IssuesSubject: RE: STRANGE undeletable directoryGood one didnt think of thatgoing to try it nowAt 09:36 AM 8/16/2001 -0500, you wrote: can you change attributes from the command line? -Original Message- From: Martijn Eindhoven [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 09:17 To: NT System Admin Issues Subject: RE: STRANGE undeletable directory Jup deleting it from the command line gave the same error: The parameter is incorrect At 10:19 AM 8/16/2001 -0400, you wrote
Re: STRANGE undeletable directory
Title: Message
Just FYI these log entries are from a Windows 2KS
running IIS 5.0
xylog
- Original Message -
From:
Bunting,
Jeff
To: NT System Admin Issues
Sent: Thursday, August 16, 2001 4:34
PM
Subject: RE: STRANGE undeletable
directory
This
is what I was talking about earlier when it was suggested the server was
hacked because of the funny directory names. I was speculating there
might be a way to create those directories with the normal permissions given
to the anonymous account in a write enabled directory. The original post
about the server with the "aux" directory could very well have been hacked, I
just wasn't sure if the presence of those directories in a public FTP folder
was enough evidence to jump to that conclusion without looking at the
logs.
I
did some experimenting and found I can't create the
"com1.scanned.by.zog+++/+++/" directory under IIS5. Perhaps it can be
done in IIS4? I'm running Serv-U FTP on all of the IIS4 machines so I
can't test it there. The "+++COM2" and "null.upload" are legal though
and can be deleted by normal means.
On a
related note, I've been getting some of the same people connecting to my
server, some warez guys from France. I was watching their activity
closely for awhile because they don't have download permissions from the
uploads directory yet they continued to upload files which didn't make a lot
of sense to me. I saw attempts at downloading, but nothing to indicate
they were successful or coming in by other means, so I've just started banning
their ip ranges because I'm tired of cleaning up all of the garbage on the ftp
site.
Jeff
-Original Message-From: xylog
[mailto:[EMAIL PROTECTED]]Sent: Thursday, August 16, 2001 3:08
PMTo: NT System Admin IssuesSubject: Fw: STRANGE
undeletable directory
OK here is one with the "undeletable"
directory. The last one was just plain dirs:
#Fields: time c-ip cs-method cs-uri-stem
sc-status 07:53:08 217.128.73.112 [10]USER anonymous 33107:53:08
217.128.73.112 [10]PASS [EMAIL PROTECTED]
23007:53:32 217.128.73.112 [11]USER anonymous 33107:53:32
217.128.73.112 [11]PASS [EMAIL PROTECTED] 23007:54:29
217.128.73.112 [11]MKD Tagged+By+Gru+++/+++/ 25707:54:42 217.128.73.112
[11]MKD Tagged+By+Gru+++/+++Board/ 25707:55:14 217.128.73.112 [11]MKD
com1.scanned.by.zog+++/+++/
257
NOTICE com107:55:31 217.128.73.112 [11]MKD
com1.scanned.by.zog+++/+++COM2/
257COM207:55:54
217.128.73.112 [11]MKD null.upload.by.derfy+++/+++/ 257
dont know what this null thingy is07:56:11
217.128.73.112 [11]MKD null.upload.by.derfy+++/+++COM1/ 25707:56:29
217.128.73.112 [11]MKD 07.27.01Reel_Fishing_Wild_DC-ECHELON 257
xylog
- Original Message -
From:
xylog
To: NT System Admin Issues
Sent: Thursday, August 16, 2001 2:58
PM
Subject: Re: STRANGE undeletable
directory
I had some bozo do this ^#@ to one of my
boxes, here is the log entires:
12:35:46 193.253.37.219 [4]USER anonymous
33112:35:46 193.253.37.219 [4]PASS [EMAIL PROTECTED] 23012:35:50
193.253.37.219 [4]MKD 010626143627p 25712:35:50 193.253.37.219 [4]RMD
010626143627p 25020:47:30 193.253.37.219 [5]USER anonymous
33120:47:30 193.253.37.219 [5]PASS [EMAIL PROTECTED]
23020:47:57 193.253.37.219 [5]MKD /.tmp 25720:47:59 193.253.37.219
[5]MKD /.tmp/Tag++Scan 25720:48:02 193.253.37.219 [5]MKD
/.tmp/Tag++Scan/Genetic+SPECIE 25720:48:04 193.253.37.219 [5]MKD
/.tmp/Tag++Scan/Genetic+SPECIE/for+DZ 25720:48:23 193.253.37.219
[5]QUIT - 257
You set the log settings from the IIS
management console snap-in in the FTP site properties page.
xylog
- Original Message -
From:
Bunting, Jeff
To: NT System Admin Issues
Sent: Thursday, August 16, 2001
1:19 PM
Subject: RE: STRANGE undeletable
directory
What options need to be ticked to record the
FTP commands in IIS? The settings show the same categories as the
WWW logs which don't intuitively apply to FTP.
The deaults options just show the name of the
file created.
-Original Message-From: xylog [mailto:[EMAIL PROTECTED]]Sent:
Thursday, August 16, 2001 1:10 PMTo: NT System Admin
IssuesSubject: Re: STRANGE undeletable
directory
Look in your FTP logs you will see
exactly the command used to create those dirs.
xylog
- Original Message -
From:
Bunting, Jeff
Re: STRANGE undeletable directory
maybe not identical. he could of created the second directory with a null character. but microsoft said they fixed that problem of deleting directories with null chars back in win 95b - Original Message - From: Wayne Langford [EMAIL PROTECTED] To: NT System Admin Issues [EMAIL PROTECTED] Sent: Thursday, August 16, 2001 3:49 PM Subject: RE: STRANGE undeletable directory Try rm.exe from the NT Resource Kit -Original Message- From: Martijn Eindhoven [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 8:03 AM To: NT System Admin Issues Subject: STRANGE undeletable directory Oke guys i have the following question. A customer has his own w2ks box. Now he asked me to look at his machine because he had a problem I logged in and looked at the problem. The first thing i saw that here was an ftp abuser. So i kicked him out. But when i was going to delete the directories he made I stumbled upon the strangest problem i've ever seen since a long time. He made a map in the login directory that looked like this: pub--- | Com1-- | Pub | Aux Aux (yes two times an identical directory) It says The parameter is incorrect when i try to delete it. Looked at the settings and everything. Still undeletable. Any ideas guys. http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
