Is perl is installed on the said IIS server then there is a possibility.
shankar
> ----------
> From: Bunting, Jeff[SMTP:[EMAIL PROTECTED]]
> Reply To: NT System Admin Issues
> Sent: Friday, August 17, 2001 8:01 PM
> To: NT System Admin Issues
> Subject: RE: STRANGE undeletable directory
>
> No, you misunderstood; I'm not trying to remove a directory. I was trying
> to figure out *how* they are created. If you look at the log xylog
> posted:
>
> 07:55:14 217.128.73.112 [11]MKD com1.scanned.by.zog+++/+++/ 257
>
> it appears an anonymous FTP user created this directory. I was
> experimenting on a couple of machines here but couldn't get them to create
> a
> directory that starts with "com1". Jason showed me how to do it from a
> command line, but that doesn't work via FTP. I tried some variations on
> it
> but haven't hit on anything yet.
>
> Jeff
>
> -----Original Message-----
> From: Kevin Lundy [mailto:[EMAIL PROTECTED]]
> Sent: Friday, August 17, 2001 10:20 AM
> To: NT System Admin Issues
> Subject: RE: STRANGE undeletable directory
>
>
> Did you try the POSIX utility rm.exe from the resource kit?
>
> If you don't solve it soon, I've got a coworker who has solved it in the
> past with an old utility. I'll ask him when he gets in later.
>
> -----Original Message-----
> From: Bunting, Jeff [mailto:[EMAIL PROTECTED]]
> Sent: Friday, August 17, 2001 10:10 AM
> To: NT System Admin Issues
> Subject: RE: STRANGE undeletable directory
>
>
> Thanks! I'd tried several variations but hadn't come up with that one
> yet.
> Have you got a trick to do it via FTP?
>
> Jeff
>
> -----Original Message-----
> From: Hodson, Jason [mailto:[EMAIL PROTECTED]]
> Sent: Friday, August 17, 2001 9:58 AM
> To: NT System Admin Issues
> Subject: RE: STRANGE undeletable directory
>
>
> md \\.\c:\com1
>
> to remove:
>
> rd \\.\c:\com1
>
> -----Original Message-----
> From: Bunting, Jeff [mailto:[EMAIL PROTECTED]]
> Sent: Friday, August 17, 2001 9:36 AM
> To: NT System Admin Issues
> Subject: RE: STRANGE undeletable directory
>
>
> That is interesting; I can't seem to be able to create a directory that
> starts with "com1" by any normal means.
> -----Original Message-----
> From: xylog [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, August 16, 2001 5:16 PM
> To: NT System Admin Issues
> Subject: Re: STRANGE undeletable directory
>
>
> Just FYI these log entries are from a Windows 2KS running IIS 5.0
>
> xylog
> ----- Original Message -----
> From: Bunting, Jeff
> To: NT System Admin Issues
> Sent: Thursday, August 16, 2001 4:34 PM
> Subject: RE: STRANGE undeletable directory
>
>
> This is what I was talking about earlier when it was suggested the server
> was hacked because of the funny directory names. I was speculating there
> might be a way to create those directories with the normal permissions
> given
> to the anonymous account in a write enabled directory. The original post
> about the server with the "aux" directory could very well have been
> hacked,
> I just wasn't sure if the presence of those directories in a public FTP
> folder was enough evidence to jump to that conclusion without looking at
> the
> logs.
>
> I did some experimenting and found I can't create the
> "com1.scanned.by.zog+++/+++/" directory under IIS5. Perhaps it can be
> done
> in IIS4? I'm running Serv-U FTP on all of the IIS4 machines so I can't
> test
> it there. The "+++COM2" and "null.upload" are legal though and can be
> deleted by normal means.
>
> On a related note, I've been getting some of the same people connecting to
> my server, some warez guys from France. I was watching their activity
> closely for awhile because they don't have download permissions from the
> uploads directory yet they continued to upload files which didn't make a
> lot
> of sense to me. I saw attempts at downloading, but nothing to indicate
> they
> were successful or coming in by other means, so I've just started banning
> their ip ranges because I'm tired of cleaning up all of the garbage on the
> ftp site.
>
> Jeff
> -----Original Message-----
> From: xylog [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, August 16, 2001 3:08 PM
> To: NT System Admin Issues
> Subject: Fw: STRANGE undeletable directory
>
>
> OK here is one with the "undeletable" directory. The last one was just
> plain
> dirs:
>
> #Fields: time c-ip cs-method cs-uri-stem sc-status
> 07:53:08 217.128.73.112 [10]USER anonymous 331
> 07:53:08 217.128.73.112 [10]PASS [EMAIL PROTECTED] 230
> 07:53:32 217.128.73.112 [11]USER anonymous 331
> 07:53:32 217.128.73.112 [11]PASS [EMAIL PROTECTED] 230
> 07:54:29 217.128.73.112 [11]MKD Tagged+By+Gru+++/+++/ 257
> 07:54:42 217.128.73.112 [11]MKD Tagged+By+Gru+++/+++Board/ 257
> 07:55:14 217.128.73.112 [11]MKD com1.scanned.by.zog+++/+++/ 257
> <<NOTICE com1
> 07:55:31 217.128.73.112 [11]MKD com1.scanned.by.zog+++/+++COM2/ 257
> <<COM2
> 07:55:54 217.128.73.112 [11]MKD null.upload.by.derfy+++/+++/ 257
> <<dont know what this null thingy is
> 07:56:11 217.128.73.112 [11]MKD null.upload.by.derfy+++/+++COM1/ 257
> 07:56:29 217.128.73.112 [11]MKD 07.27.01Reel_Fishing_Wild_DC-ECHELON 257
>
> xylog
> ----- Original Message -----
> From: xylog
> To: NT System Admin Issues
> Sent: Thursday, August 16, 2001 2:58 PM
> Subject: Re: STRANGE undeletable directory
>
>
> I had some bozo do this ^#@& to one of my boxes, here is the log entires:
>
> 12:35:46 193.253.37.219 [4]USER anonymous 331
> 12:35:46 193.253.37.219 [4]PASS [EMAIL PROTECTED] 230
> 12:35:50 193.253.37.219 [4]MKD 010626143627p 257
> 12:35:50 193.253.37.219 [4]RMD 010626143627p 250
> 20:47:30 193.253.37.219 [5]USER anonymous 331
> 20:47:30 193.253.37.219 [5]PASS [EMAIL PROTECTED] 230
> 20:47:57 193.253.37.219 [5]MKD /.tmp 257
> 20:47:59 193.253.37.219 [5]MKD /.tmp/Tag+&+Scan 257
> 20:48:02 193.253.37.219 [5]MKD /.tmp/Tag+&+Scan/Genetic+SPECIE 257
> 20:48:04 193.253.37.219 [5]MKD /.tmp/Tag+&+Scan/Genetic+SPECIE/for+DZ 257
> 20:48:23 193.253.37.219 [5]QUIT - 257
>
> You set the log settings from the IIS management console snap-in in the
> FTP
> site properties page.
>
> xylog
> ----- Original Message -----
> From: Bunting, Jeff
> To: NT System Admin Issues
> Sent: Thursday, August 16, 2001 1:19 PM
> Subject: RE: STRANGE undeletable directory
>
>
> What options need to be ticked to record the FTP commands in IIS? The
> settings show the same categories as the WWW logs which don't intuitively
> apply to FTP.
>
> The deaults options just show the name of the file created.
> -----Original Message-----
> From: xylog [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, August 16, 2001 1:10 PM
> To: NT System Admin Issues
> Subject: Re: STRANGE undeletable directory
>
>
> Look in your FTP logs you will see exactly the command used to create
> those
> dirs.
>
> xylog
> ----- Original Message -----
> From: Bunting, Jeff
> To: NT System Admin Issues
> Sent: Thursday, August 16, 2001 12:15 PM
> Subject: RE: STRANGE undeletable directory
>
>
> Because anonymous users have permission to create directories and this
> fellow created directories.
>
> I wasn't trying to imply the machine definitely wasn't hacked, but I've
> seen
> this question arise before and always in an FTP directory. I was
> wondering
> if there is some way to create these directories with reserved words via
> normal FTP or HTTP commands. If there is, then the anonymous user would
> have permission to create those directories again.
>
> Jeff
> -----Original Message-----
> From: Martin Blackstone [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, August 16, 2001 11:14 AM
> To: NT System Admin Issues
> Subject: RE: STRANGE undeletable directory
>
>
> Better question:
> What would make you assume he didn't?
> -----Original Message-----
> From: Bunting, Jeff [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, August 16, 2001 8:02 AM
> To: NT System Admin Issues
> Subject: RE: STRANGE undeletable directory
>
>
> Assuming the machine was configured for anonymous logins, what would make
> you believe he did anything else he wasn't allowed to do?
> -----Original Message-----
> From: Martin Blackstone [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, August 16, 2001 10:54 AM
> To: NT System Admin Issues
> Subject: RE: STRANGE undeletable directory
>
>
> Of course you still need to rebuild the box now.
> Who knows what else this guy did to it.
> -----Original Message-----
> From: Martijn Eindhoven [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, August 16, 2001 7:37 AM
> To: NT System Admin Issues
> Subject: RE: STRANGE undeletable directory
>
>
> Good one didnt think of that
> going to try it now
>
> At 09:36 AM 8/16/2001 -0500, you wrote:
>
> can you change attributes from the command line?
> -----Original Message-----
> From: Martijn Eindhoven [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, August 16, 2001 09:17
> To: NT System Admin Issues
> Subject: RE: STRANGE undeletable directory
>
>
> Jup deleting it from the command line gave the same error: The parameter
> is
> incorrect
>
>
>
>
>
>
> At 10:19 AM 8/16/2001 -0400, you wrote:
> Did you try deleting it from the command line?
>
> -----Original Message-----
> From: Martijn Eindhoven [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, August 16, 2001 10:13 AM
> To: NT System Admin Issues
> Subject: RE: STRANGE undeletable directory
>
>
> I dunno, cant rename cant move can do shit!
> Very strange
>
>
> At 09:10 AM 8/16/2001 -0500, you wrote:
> Is it because "Com1"?
> -----Original Message-----
> From: Martijn Eindhoven [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, August 16, 2001 09:03
> To: NT System Admin Issues
> Subject: STRANGE undeletable directory
>
>
> Oke guys i have the following question.
>
>
> A customer has his own w2ks box. Now he asked me to look at his machine
> because he had a problem
> I logged in and looked at the problem. The first thing i saw that here was
> an ftp abuser. So i kicked him out.
> But when i was going to delete the directories he made I stumbled upon the
> strangest problem i've ever seen since a long
> time.
>
>
> He made a map in the login directory that looked like this:
>
>
> pub---
> |
> Com1--
> |
> Pub----
> |
> Aux
> Aux (yes two times an identical directory)
>
>
> It says "The parameter is incorrect" when i try to delete it. Looked at
> the
> settings and everything. Still undeletable.
>
>
> Any ideas guys.
>
>
>
>
>
>
>
>
>
>
> Met vriendelijke groet,
>
>
>
>
>
>
>
>
>
>
> M. Eindhoven
> NT System Administrator
> Bevelander Internet Services B.V.
> Folkstoneweg 10
> 1118 LM SCHIPHOL Zuidoost
> Tel : 020 40 53 900
> Fax : 020 40 53 910
> http://www.bevelander.nl
> =================================================
> This communication contains information which is confidential and
> may also be privileged. It is for the exclusive use of the
> intended recipient(s). If you are not the intended recipient(s),
> please note that any distribution, copying or use of this
> communication or the information in it is strictly prohibited.
> If you have received this communication in error, please notify
> the sender immediately and then destroy any copies of it.
> =================================================
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
> Met vriendelijke groet,
>
>
> M. Eindhoven
> NT System Administrator
> Bevelander Internet Services B.V.
> Folkstoneweg 10
> 1118 LM SCHIPHOL Zuidoost
> Tel : 020 40 53 900
> Fax : 020 40 53 910
> http://www.bevelander.nl
> =================================================
> This communication contains information which is confidential and
> may also be privileged. It is for the exclusive use of the
> intended recipient(s). If you are not the intended recipient(s),
> please note that any distribution, copying or use of this
> communication or the information in it is strictly prohibited.
> If you have received this communication in error, please notify
> the sender immediately and then destroy any copies of it.
> =================================================
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
> Met vriendelijke groet,
>
>
> M. Eindhoven
> NT System Administrator
> Bevelander Internet Services B.V.
> Folkstoneweg 10
> 1118 LM SCHIPHOL Zuidoost
> Tel : 020 40 53 900
> Fax : 020 40 53 910
> http://www.bevelander.nl
> =================================================
> This communication contains information which is confidential and
> may also be privileged. It is for the exclusive use of the
> intended recipient(s). If you are not the intended recipient(s),
> please note that any distribution, copying or use of this
> communication or the information in it is strictly prohibited.
> If you have received this communication in error, please notify
> the sender immediately and then destroy any copies of it.
> =================================================
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
> Met vriendelijke groet,
>
>
> M. Eindhoven
> NT System Administrator
> Bevelander Internet Services B.V.
> Folkstoneweg 10
> 1118 LM SCHIPHOL Zuidoost
> Tel : 020 40 53 900
> Fax : 020 40 53 910
> http://www.bevelander.nl
> =================================================
> This communication contains information which is confidential and
> may also be privileged. It is for the exclusive use of the
> intended recipient(s). If you are not the intended recipient(s),
> please note that any distribution, copying or use of this
> communication or the information in it is strictly prohibited.
> If you have received this communication in error, please notify
> the sender immediately and then destroy any copies of it.
> =================================================
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
