Comments on: I've been hacked...

Question: I've been hacked...

springload — Tue, 28 Jun 2005 19:56:13 -0800

How to delete a folder that XP claims it cannot find?

I use XP pro's FTP server on my laptop for personal work-related file transfer. It's set for anonymous access with write permission from foreign computers. I left it up for some time and when I checked later, Mr 3lit3 h4xx0r jr had used my space as a dump for some of his stuff. The stuff is gone, only a hierarchy of folders left. Problem is: When I try to delete one of them, Windows says "No, I cannot find this file". How do I get rid of it then?

To avoid this in the future, what FTP server can you recommend? Free and as simple as possible is preferred. The built-in one is fine, except they say it's bad to use with non-anonymous login.

By: bshort

bshort — Tue, 28 Jun 2005 20:04:18 -0800

Why can't you just put a username / password on the directory using the XP ftp service? If you have a world-writeable anonymus FTP then it's very possible you'll get owned since anyone can write to it.

By: Daddio

Daddio — Tue, 28 Jun 2005 20:13:19 -0800

If you bring up a DOS prompt, can you list the folder with a dir command? If so, can you delete it with the rd command?

Have you tried coming up in safe mode and deleting the folder in question?

If all else fails, copy everything from the parent folder to a new folder, delete the old parent and all subfolders, and then copy everything back.

And bshort is right, don't ever leave an FTP server up with anonymous access... you're asking for trouble. Just put up a username/password and you should be OK.

By: pmbuko

pmbuko — Tue, 28 Jun 2005 20:15:39 -0800

Public FTP servers with anonymous access are one of the most exploited "resources" on the internet. Often a hacker will upload a hidden tool that will allow him to get back onto your computer even if the FTP server is removes. Definitely get a server program that allows you to restirct incoming connections to specific IP addresses or networks. This one may do the trick.

Mr 3lit3 h4xx0r jr may have left a rootkit on your computer that uses alternate data streams to avoid detection.

Use the command line to navigate to the folders in question and type "dir /a" to see if there are any hidden files in them. If there's something in there, you can download an ADS viewer tool to see if there's anything malicious in the files. Regarless, you'll want to delete the files.

By: delmoi

delmoi — Tue, 28 Jun 2005 21:20:17 -0800

pmbuko: unless the hacker had an exploit that let him run code, he couldn't have left anything there that actualy let him come back.

By: shepd

shepd — Tue, 28 Jun 2005 21:54:44 -0800

I always used warftpd on windows. It's free, supports EVERYTHING under the sun (IP restrictions, accounts, ratios, etc, etc). It's also stable.

You could lock it down by IP, but I'd just turn off anonymous and set up a username/password. If they crack the password either it was an incredibly dumb password (like "password") or they're good enough they could have hacked something else instead anyways.

Well, it's mostly free, although if you work for the government (excluding schools and NASA) you're not allowed to use it. Also if you work for the CBC, BBC, Petro-Canada or any other 50% or more government funded/owned company you can't use it.

Enjoy!

By: purephase

purephase — Tue, 28 Jun 2005 22:17:18 -0800

As Daddio said, you can probably remove this folder using DOS.

Open the command prompt, navigate to the parent folder that contains the problematic folder and instead of just a simple "dir" command, add the following switch:

dir /x

This will list the folders in the directory using their short names. Sometimes Windows balks at folders that use specific characters and have an extremely long folder name. I've never been able to re-create the problem in any consistent manner or else I would have let Microsoft know, but there is a weird problem with Windows (among many).

Anyway, take the short name. It will most likely be in the format FOLDER~1 (or similar). Just run the following command to remove the folder:

rd FOLDER~1

It should do the trick. As for the FTP recommendations in this thread, listen to them. There's some good advice there.

By: springload

springload — Wed, 29 Jun 2005 01:11:16 -0800

purephase: The /x switch did the trick. Thanks!

The reason for going anonymous would be that only windows logins can be assigned as FTP accounts, the PWs of which should not be sent around unencrypted. I planned to keep it up for a day or so but forgot to turn it off. With a million hotfixes installed I presumed not much damage could be done except my files being deleted.

I'll probably try warftpd next. Thanks shepd for that tip.

By: Elvis

Elvis — Wed, 29 Jun 2005 09:51:57 -0800

When this happened to us, we had to use a Unix box to log in and remove the folders, as the hacker had used naming conventions that Windows didn't recognize, using ~ characters and that sort of thing.

In our case we happened to have a SCO UNIX box on the network, so we just logged in and deleted directories.

S/he had also left some stuff to re-hack, so be sure to check everything and everywhere.

By: BeerGrin

BeerGrin — Wed, 29 Jun 2005 15:46:29 -0800

purephase writes "Anyway, take the short name. It will most likely be in the format FOLDER~1 (or similar). Just run the following command to remove the folder:

"rd FOLDER~1"

I have a like problem file only in Windows 2000. The comand line will not allow the rd comand because the target folder is not empty. Any ideas?