How to delete files on a compromised ftp server

[Guy]

Hi All,

I have a problem. My FTP server had become a dump site over the last
few weeks as I had rebuilt my computer and forgot to alter the FTP
access.
The info I have in the logs is

16:30:50 24.91.15.116 [105]USER anonymous 331
16:30:50 24.91.15.116 [105]PASS (e-mail address removed) 230
16:30:50 24.91.15.116 [105]sent
/+++/CoM3.%d%f%g_T@GGED_+/+++++++CoM9.%d%f%o,%20.6++++++++/CoM3.%2EI9626,%20+l/+++++++CoM9.%d%f%o,%20.4++++/++CoM9.%d%o%f,%20.5++++++/++++/+++.._0nly_f0r_AM_,.+/+/The.Simpsons.Too.Hot.For.TV.2003.XviDVD/tmn-tsth.r00
226
16:35:11 24.91.15.116 [105]sent
/+++/CoM3.%d%f%g_T@GGED_+/+++++++CoM9.%d%f%o,%20.6++++++++/CoM3.%2EI9626,%20+l/+++++++CoM9.%d%f%o,%20.4++++/++CoM9.%d%o%f,%20.5++++++/++++/+++.._0nly_f0r_AM_,.+/+/The.Simpsons.Too.Hot.For.TV.2003.XviDVD/tmn-tsth.r00
226
16:35:11 24.91.15.116 [105]sent
/+++/CoM3.%d%f%g_T@GGED_+/+++++++CoM9.%d%f%o,%20.6++++++++/CoM3.%2EI9626,%20+l/+++++++CoM9.%d%f%o,%20.4++++/++CoM9.%d%o%f,%20.5++++++/++++/+++.._0nly_f0r_AM_,.+/+/The.Simpsons.Too.Hot.For.TV.2003.XviDVD/tmn-tsth.r01
226
16:39:45 24.91.15.116 [105]sent
/+++/CoM3.%d%f%g_T@GGED_+/+++++++CoM9.%d%f%o,%20.6++++++++/CoM3.%2EI9626,%20+l/+++++++CoM9.%d%f%o,%20.4++++/++CoM9.%d%o%f,%20.5++++++/++++/+++.._0nly_f0r_AM_,.+/+/The.Simpsons.Too.Hot.For.TV.2003.XviDVD/tmn-tsth.r01
226

I think it is taking up about 18GB on my computer byt I can't get into
the directories to see what has been put in there and also I can't
delete the directories.

All I can see under my ftproot directory are two directories with a
single _ in them. When I double click on these I get more of these _
directories. Then I finally come to what looks like the above except
it just says "com1.%20%f%5%o%g.". When I click on this it says that
the directory refers to a location that is unavailable. How do I get
around this please.

Thanks,

 

[Guest]

I reviewed Microsoft Knowledge Base Article - 320081 -------- Cause 4, but this did not help me. I finally found a program called "Tritafile" at my last job that I downloaded. The program worked for me but I had to toy with it. I had to associate the folder with notepad to get past a "invalid date and time" error, I had to restart it a few times...but it did work..

I am running into this problem again at my current job and have so far not been successful. The file deletes with tritafile but then another folder appears in its place that has the same characteristics. I suspect a program is running that re-creates it but I have not be able to locate it

Anybody have any ideas?

 

[Drew Cooper [MSFT]]

Oh.exe is downloadable from MSFT. Sysinternals.com has handle.exe or
Process Explorer. All of them are free and any of them should be able to
tell you what process is opening a handle to the folder.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

I reviewed Microsoft Knowledge Base Article - 320081 -------- Cause 4, but

this did not help me. I finally found a program called "Tritafile" at my
last job that I downloaded. The program worked for me but I had to toy with
it. I had to associate the folder with notepad to get past a "invalid date
and time" error, I had to restart it a few times...but it did work...

I am running into this problem again at my current job and have so far not

been successful. The file deletes with tritafile but then another folder
appears in its place that has the same characteristics. I suspect a program
is running that re-creates it but I have not be able to locate it.