can't view directory created by hacker...

[Agustin Chernitsky]

Hi guys,

I found a service, which was created by a hacker, pointing to an exe file
with this path: c:\WINNT\system32\vxd\poissonbulle\here\nbthlp.exe

Now, I can browse up to c:\winnt\system32\vxd\, but if I do a "dir", I get
nothing:

<<<<
Directory of C:\WINNT\system32\vxd

20/01/2004 08:12a <DIR> .
20/01/2004 08:12a <DIR> ..
0 File(s) 0 bytes
2 Dir(s) 37.210.169.344 bytes free
Still, if I do a cd \WINNT\system32\vxd\poissonbulle\here\ I can access
that directory:

<<<<
C:\>cd \WINNT\system32\vxd\poissonbulle\here
C:\WINNT\system32\vxd\poissonbulle\here>dir

Directory of C:\WINNT\system32\vxd\poissonbulle\here

31/01/2004 01:37p <DIR> .
31/01/2004 01:37p <DIR> ..
20/01/2004 08:48a <DIR> dmp
31/01/2004 01:37p 1.024 nbthlp.sys
31/01/2004 01:37p 49 ServUStartUpLog.txt
2 File(s) 1.073 bytes
3 Dir(s) 37.209.870.336 bytes free
The funny thing, is that doing a "cd .." I get:

<<<<
C:\WINNT\system32\vxd\poissonbulle\here>cd ..
The system cannot find the file specified.
As you can see, I can't see the .exe file also...

My question is, is there a way I can see these kind of directories?? I would
like to see if there are more directories hidden in my system like this...

I tried doing a dir /ad from C:\WINNT\system32\vxd\, but nothing...

I know I can remove the directory using rmdir \\.\c:\winnt\system32\vxd /s

By the way, since the directory is invalid, this service PID doesn't show in
any process viewer or taskmanager (good trick).

Thanks!

Agustin

Note: x-posted from microsoft.public.win2000.security

 

[Joe Griffin [MSFT]]

Hello,
There may be some easier ways of doing this, such as using posix commands and maybe even the MS-DOS RD command. However, you should be able to
use diskprobe and search for the file name using a UNICODE search. You can speed the search up if you knew the offset to be looking for and don't forget
about the short filename. I don't remember the offsets for the file name. It may be 0F2 for long filenames and 016A for short filenames. Oh, also select ignore
case while doing the search.

When you find the file name, change it or remove some of the name so that it has white spaces. Or even better, removed most of the information on that sector.
Quit diskprobe and run chkdsk. Chkdsk should fix the file and then you should be able to delete it.

Joe Griffin [MS]
Windows 2000 Server Setup Team

 

[Agustin Chernitsky]

Hi Joe,

I ran POSIX toos from reskit, but no way... Look:

C:\WINNT\system32>rm -d "//C/WINNT/system32/v"
rm: //C/WINNT/system32/v: File exists.

I even tried this:

C:\WINNT\system32>rm -r "//C/WINNT/system32/v/poissonbulle/here/"
rm: //C/WINNT/system32/v/poissonbulle/here/: File exists.

so.. I'm stuck here....

Any ideas?? Or I will have to live with this directory forever?

Cheers!

Hello,
There may be some easier ways of doing this, such as using posix commands

and maybe even the MS-DOS RD command. However, you should be able to

use diskprobe and search for the file name using a UNICODE search. You

can speed the search up if you knew the offset to be looking for and don't
forget

about the short filename. I don't remember the offsets for the file name.

It may be 0F2 for long filenames and 016A for short filenames. Oh, also
select ignore

case while doing the search.

When you find the file name, change it or remove some of the name so that

it has white spaces. Or even better, removed most of the information on
that sector.

Quit diskprobe and run chkdsk. Chkdsk should fix the file and then you should be able to delete it.

Joe Griffin [MS]
Windows 2000 Server Setup Team

 

[Joe Griffin [MSFT]]

Use diskprobe as I suggested. I have successfully removed files this way in the past.
Joe Griffin
Windows 2000 Server Setup Team

 

[R. C. White]

Hi, Agustin.

The old DOS tricks might work. Open a "DOS" window and navigate to the
..\vxd folder. Then type: dir /a /x

This should give you the usual Directory listing, but the /a will show ALL
files and folders, including those with attributes (system, hidden,
read-only) set. And the /x will add a column showing Short File Names (also
known as SFN or 8.3 filenames).

If you are sure that you want to wipe out EVERYTHING in the poissonbulle
folder, then get its SFN and type at the command prompt: rd <SFN> /s When
it asks "are you sure", say Yes.

This should Remove the Directory, including all subdirectories and files.

If you need (or want) to be more selective, then use the Dir command - with
switches - to find SFNs for your various files and folders and navigate
through them.

RC

 

[Agustin Chernitsky]

Hi R. C.,

The DOS trick doesn't work... I can't get a list of any files... and the RD
<SFN> /s gives "directory not empty" error.

I will need to use diskprobe....

Thanks anyway!

 

[Agustin]

Hi Joe,

Sorry I am following up this so late. I have time now to expermient on this.
I am using dskprobe on a test server... I am trying to rename a file, but I
can´t seem to make it work.

I created a "test file.txt", and using dskprobe, I found 2 strings matching
in sector 19646 & 36714. Both beggin with the FILE attribute.

I tried renaming the file in both sectors (instead of "test file.txt" to
"ttst file.txt"), wrote the sector, quit dskprobe and ran chkdsk Still, I
can see the original directory name, like nothing changed.

Am I missing something? Looks like I am....

Any help would really be apreciated!

Cheers!

Hello,
There may be some easier ways of doing this, such as using posix commands

and maybe even the MS-DOS RD command. However, you should be able to

use diskprobe and search for the file name using a UNICODE search. You

can speed the search up if you knew the offset to be looking for and don't
forget

about the short filename. I don't remember the offsets for the file name.

It may be 0F2 for long filenames and 016A for short filenames. Oh, also
select ignore

case while doing the search.

When you find the file name, change it or remove some of the name so that

it has white spaces. Or even better, removed most of the information on
that sector.

Quit diskprobe and run chkdsk. Chkdsk should fix the file and then you should be able to delete it.

Joe Griffin [MS]
Windows 2000 Server Setup Team

 

[Agustin]

Forget it...

I had a Rootkit installed. I rebooted the server, and since I renamed a
directory, the rootkit never started up... I could remove the dirs with no
probs.

Hi Joe,

Sorry I am following up this so late. I have time now to expermient on this.
I am using dskprobe on a test server... I am trying to rename a file, but I
can´t seem to make it work.

I created a "test file.txt", and using dskprobe, I found 2 strings matching
in sector 19646 & 36714. Both beggin with the FILE attribute.

I tried renaming the file in both sectors (instead of "test file.txt" to
"ttst file.txt"), wrote the sector, quit dskprobe and ran chkdsk Still, I
can see the original directory name, like nothing changed.

Am I missing something? Looks like I am....

Any help would really be apreciated!

Cheers!

Hello,
There may be some easier ways of doing this, such as using posix

commands
and maybe even the MS-DOS RD command. However, you should be able to

use diskprobe and search for the file name using a UNICODE search. You

can speed the search up if you knew the offset to be looking for and don't
forget

about the short filename. I don't remember the offsets for the file

name.
It may be 0F2 for long filenames and 016A for short filenames. Oh, also
select ignore

case while doing the search.

When you find the file name, change it or remove some of the name so

that
it has white spaces. Or even better, removed most of the information on
that sector.

Quit diskprobe and run chkdsk. Chkdsk should fix the file and then you should be able to delete it.

Joe Griffin [MS]
Windows 2000 Server Setup Team