tagged files left-over from old FTP hack

  • Thread starter Thread starter Bruce Rhodewalt
  • Start date Start date
B

Bruce Rhodewalt

We're reasonably certain that we've closed our system well
after a hack about 16 months ago. (No recurrence.) But
we still have a few directories left over that I want to
delete and have been unable to.

The folder names themselves seem to have non-printing
characters in them. I have tried cacls, rm.exe, subinacl
and all the usual rd tricks recommended in the KB. Any
suggestions?

In the snapshop below, the "bad" folder is renameable
(was "images"), and there apparently is no real file
locking going on. (I've searched using Process Explorer.)

D:\Sites\Root\xbad\www>dir
Volume in drive D is Online
Volume Serial Number is A03E-D0CA

Directory of D:\Sites\Root\xbad\www

01/12/2004 11:11a <DIR> .
01/12/2004 11:11a <DIR> ..
01/12/2004 08:52a <DIR> bad
07/28/2002 05:40a <DIR> tagged by the
REFEREE .
0 File(s) 0 bytes
4 Dir(s) 4,937,461,760 bytes free

D:\Sites\Root\xbad\www>rmdir /s bad
bad, Are you sure (Y/N)? y
bad\ - The process cannot access the file because it is
being used by another process.

D:\Sites\Root\xbad\www>dir bad
Volume in drive D is Online
Volume Serial Number is A03E-D0CA

Directory of D:\Sites\Root\xbad\www\bad

01/12/2004 08:52a <DIR> .
01/12/2004 08:52a <DIR> ..
07/20/2002 01:39a <DIR>
0 File(s) 0 bytes
3 Dir(s) 4,937,461,760 bytes free

D:\Sites\Root\xbad\www>rm /d "tagged by the REFEREE . "
rm: /d: No such file or directory.
rm: tagged by the REFEREE . : Permission denied.


Thanks.
Bruce
 
You can use diskprobe to search sectors on the drive . This could be
destructive if you are not familiar with using diskprobe.
This is the process I have used in the past.

"We used diskprobe to search for a pattern match of the file at offset 0EA
using a unicode
search. Then we would write zero's across most of the sector containing
the file
name in the MFT. (starting about offset 0EA and continuing to the end of
file
marker which is hex FF FF FF FF 82 79 47 11) We then went to a command
prompt and
ran chkdsk. Chkdsk would move the information into the found folder. Now
we can
delete the information. We could not remove the ftproot directory in this
manner
until we stopped the ftp, www, and IISadmin services. After stopping these
services we are able to delete the ftproot folder. This may need to be
done
repeatedly until all of the files are deleted. "

Joe Griffin [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
Content-Class: urn:content-classes:message
From: "Bruce Rhodewalt" <[email protected]>
Sender: "Bruce Rhodewalt" <[email protected]>
Subject: tagged files left-over from old FTP hack
Date: Mon, 12 Jan 2004 13:57:57 -0800
Lines: 52
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
thread-index: AcPZVyNRMvShwoaLQfuNbcEG1Evhag==
Newsgroups: microsoft.public.win2000.file_system
Path: cpmsftngxa07.phx.gbl
Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.file_system:16305
NNTP-Posting-Host: tk2msftngxa08.phx.gbl 10.40.1.160
X-Tomcat-NG: microsoft.public.win2000.file_system

We're reasonably certain that we've closed our system well
after a hack about 16 months ago. (No recurrence.) But
we still have a few directories left over that I want to
delete and have been unable to.

The folder names themselves seem to have non-printing
characters in them. I have tried cacls, rm.exe, subinacl
and all the usual rd tricks recommended in the KB. Any
suggestions?

In the snapshop below, the "bad" folder is renameable
(was "images"), and there apparently is no real file
locking going on. (I've searched using Process Explorer.)

D:\Sites\Root\xbad\www>dir
Volume in drive D is Online
Volume Serial Number is A03E-D0CA

Directory of D:\Sites\Root\xbad\www

01/12/2004 11:11a <DIR> .
01/12/2004 11:11a <DIR> ..
01/12/2004 08:52a <DIR> bad
07/28/2002 05:40a <DIR> tagged by the
REFEREE .
0 File(s) 0 bytes
4 Dir(s) 4,937,461,760 bytes free

D:\Sites\Root\xbad\www>rmdir /s bad
bad, Are you sure (Y/N)? y
bad\ - The process cannot access the file because it is
being used by another process.

D:\Sites\Root\xbad\www>dir bad
Volume in drive D is Online
Volume Serial Number is A03E-D0CA

Directory of D:\Sites\Root\xbad\www\bad

01/12/2004 08:52a <DIR> .
01/12/2004 08:52a <DIR> ..
07/20/2002 01:39a <DIR>
0 File(s) 0 bytes
3 Dir(s) 4,937,461,760 bytes free

D:\Sites\Root\xbad\www>rm /d "tagged by the REFEREE . "
rm: /d: No such file or directory.
rm: tagged by the REFEREE . : Permission denied.


Thanks.
Bruce
 
Back
Top