One command that will be usefull is dir /x which will show you the name of the folders and files in 8.3 format. Then del and rmdir.
From: "Don Phillipe" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: MS IIS 5 server is hacked leaving undeletable folders and files
Date: Tue, 31 Dec 2002 10:54:34 -0600
MIME-Version: 1.0
X-Originating-IP: [12.239.98.0]
Received: from outgoing3.securityfocus.com ([205.206.231.27]) by mc8-f20.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 31 Dec 2002 12:10:05 -0800
Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])by outgoing3.securityfocus.com (Postfix) with QMQPid ACAD5A30EB; Tue, 31 Dec 2002 12:07:28 -0700 (MST)
Received: (qmail 13171 invoked from network); 31 Dec 2002 16:26:51 -0000
Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm
Precedence: bulk
List-Id: <security-basics.list-id.securityfocus.com>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Help: <mailto:[EMAIL PROTECTED]>
List-Unsubscribe: <mailto:[EMAIL PROTECTED]>
List-Subscribe: <mailto:[EMAIL PROTECTED]>
Delivered-To: mailing list [EMAIL PROTECTED]
Delivered-To: moderator for [EMAIL PROTECTED]
Message-ID: <005701c2b0ed$4bbab460$850aa8c0@homedesk>
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.4510
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-OriginalArrivalTime: 31 Dec 2002 16:54:39.0711 (UTC) FILETIME=[4EE42EF0:01C2B0ED]
Return-Path: [EMAIL PROTECTED]
I have a small server I use for my home business and use it mainly for
anyone who needs to send a large file that will not go through email. I
have an anonymous UPLOAD FTP account that I open up to receive these. From
time to time I forget and leave this open (I know this is stupid but I
thought I could just erase anything that was put there because the small
drive would fill up real soon). However, I see someone has hacked into my
server and put a bunch of trash that I cannot delete because when I try to
delete it, Windows 2K says "cannot find the specified file". I have spent
2 days researching this and cannot find any reference of how to correct
this. I did find some reference to looking at the security tab for these
files but the security tab is missing! I found some tools which are
supposed to set owners for files and they don't work on these files. Here
is the log from where the hacker attacked below. Any help would be
appreciated. I don't want to have to rebuild my server if possible:
#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2002-12-30 06:38:21
#Fields: time c-ip cs-method cs-uri-stem sc-status
06:38:21 80.11.214.63 [1]USER anonymous 331
06:38:21 80.11.214.63 [1]PASS [EMAIL PROTECTED] 230
06:38:24 80.11.214.63 [1]sent
/upload/com3+/lpt2+/com3+/d/%15%20%d%D_FCT+/f/.GR+/h/aux+/j/%15%20%+by+Lorg%
d%D+/divx/rpc-acb.043 550
06:54:31 80.11.214.63 [1]created rpc-acb.043 226
06:54:32 80.11.214.63 [1]sent
/upload/com3+/lpt2+/com3+/d/%15%20%d%D_FCT+/f/.GR+/h/aux+/j/%15%20%+by+Lorg%
d%D+/divx/rpc-acb.044 550
07:10:38 80.11.214.63 [1]created rpc-acb.044 226
_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE* http://join.msn.com/?page=features/virus
