I've been hacked...
June 28, 2005 7:56 PM Subscribe
How to delete a folder that XP claims it cannot find?
I use XP pro's FTP server on my laptop for personal work-related file transfer. It's set for anonymous access with write permission from foreign computers. I left it up for some time and when I checked later, Mr 3lit3 h4xx0r jr had used my space as a dump for some of his stuff. The stuff is gone, only a hierarchy of folders left. Problem is: When I try to delete one of them, Windows says "No, I cannot find this file". How do I get rid of it then?
To avoid this in the future, what FTP server can you recommend? Free and as simple as possible is preferred. The built-in one is fine, except they say it's bad to use with non-anonymous login.
I use XP pro's FTP server on my laptop for personal work-related file transfer. It's set for anonymous access with write permission from foreign computers. I left it up for some time and when I checked later, Mr 3lit3 h4xx0r jr had used my space as a dump for some of his stuff. The stuff is gone, only a hierarchy of folders left. Problem is: When I try to delete one of them, Windows says "No, I cannot find this file". How do I get rid of it then?
To avoid this in the future, what FTP server can you recommend? Free and as simple as possible is preferred. The built-in one is fine, except they say it's bad to use with non-anonymous login.
If you bring up a DOS prompt, can you list the folder with a dir command? If so, can you delete it with the rd command?
Have you tried coming up in safe mode and deleting the folder in question?
If all else fails, copy everything from the parent folder to a new folder, delete the old parent and all subfolders, and then copy everything back.
And bshort is right, don't ever leave an FTP server up with anonymous access... you're asking for trouble. Just put up a username/password and you should be OK.
posted by Daddio at 8:13 PM on June 28, 2005
Have you tried coming up in safe mode and deleting the folder in question?
If all else fails, copy everything from the parent folder to a new folder, delete the old parent and all subfolders, and then copy everything back.
And bshort is right, don't ever leave an FTP server up with anonymous access... you're asking for trouble. Just put up a username/password and you should be OK.
posted by Daddio at 8:13 PM on June 28, 2005
Public FTP servers with anonymous access are one of the most exploited "resources" on the internet. Often a hacker will upload a hidden tool that will allow him to get back onto your computer even if the FTP server is removes. Definitely get a server program that allows you to restirct incoming connections to specific IP addresses or networks. This one may do the trick.
Mr 3lit3 h4xx0r jr may have left a rootkit on your computer that uses alternate data streams to avoid detection.
Use the command line to navigate to the folders in question and type "dir /a" to see if there are any hidden files in them. If there's something in there, you can download an ADS viewer tool to see if there's anything malicious in the files. Regarless, you'll want to delete the files.
posted by pmbuko at 8:15 PM on June 28, 2005
Mr 3lit3 h4xx0r jr may have left a rootkit on your computer that uses alternate data streams to avoid detection.
Use the command line to navigate to the folders in question and type "dir /a" to see if there are any hidden files in them. If there's something in there, you can download an ADS viewer tool to see if there's anything malicious in the files. Regarless, you'll want to delete the files.
posted by pmbuko at 8:15 PM on June 28, 2005
pmbuko: unless the hacker had an exploit that let him run code, he couldn't have left anything there that actualy let him come back.
posted by delmoi at 9:20 PM on June 28, 2005
posted by delmoi at 9:20 PM on June 28, 2005
I always used warftpd on windows. It's free, supports EVERYTHING under the sun (IP restrictions, accounts, ratios, etc, etc). It's also stable.
You could lock it down by IP, but I'd just turn off anonymous and set up a username/password. If they crack the password either it was an incredibly dumb password (like "password") or they're good enough they could have hacked something else instead anyways.
Well, it's mostly free, although if you work for the government (excluding schools and NASA) you're not allowed to use it. Also if you work for the CBC, BBC, Petro-Canada or any other 50% or more government funded/owned company you can't use it.
Enjoy!
posted by shepd at 9:54 PM on June 28, 2005
You could lock it down by IP, but I'd just turn off anonymous and set up a username/password. If they crack the password either it was an incredibly dumb password (like "password") or they're good enough they could have hacked something else instead anyways.
Well, it's mostly free, although if you work for the government (excluding schools and NASA) you're not allowed to use it. Also if you work for the CBC, BBC, Petro-Canada or any other 50% or more government funded/owned company you can't use it.
Enjoy!
posted by shepd at 9:54 PM on June 28, 2005
Best answer: As Daddio said, you can probably remove this folder using DOS.
Open the command prompt, navigate to the parent folder that contains the problematic folder and instead of just a simple "dir" command, add the following switch:
dir /x
This will list the folders in the directory using their short names. Sometimes Windows balks at folders that use specific characters and have an extremely long folder name. I've never been able to re-create the problem in any consistent manner or else I would have let Microsoft know, but there is a weird problem with Windows (among many).
Anyway, take the short name. It will most likely be in the format FOLDER~1 (or similar). Just run the following command to remove the folder:
rd FOLDER~1
It should do the trick. As for the FTP recommendations in this thread, listen to them. There's some good advice there.
posted by purephase at 10:17 PM on June 28, 2005
Open the command prompt, navigate to the parent folder that contains the problematic folder and instead of just a simple "dir" command, add the following switch:
dir /x
This will list the folders in the directory using their short names. Sometimes Windows balks at folders that use specific characters and have an extremely long folder name. I've never been able to re-create the problem in any consistent manner or else I would have let Microsoft know, but there is a weird problem with Windows (among many).
Anyway, take the short name. It will most likely be in the format FOLDER~1 (or similar). Just run the following command to remove the folder:
rd FOLDER~1
It should do the trick. As for the FTP recommendations in this thread, listen to them. There's some good advice there.
posted by purephase at 10:17 PM on June 28, 2005
Response by poster: purephase: The /x switch did the trick. Thanks!
The reason for going anonymous would be that only windows logins can be assigned as FTP accounts, the PWs of which should not be sent around unencrypted. I planned to keep it up for a day or so but forgot to turn it off. With a million hotfixes installed I presumed not much damage could be done except my files being deleted.
I'll probably try warftpd next. Thanks shepd for that tip.
posted by springload at 1:11 AM on June 29, 2005
The reason for going anonymous would be that only windows logins can be assigned as FTP accounts, the PWs of which should not be sent around unencrypted. I planned to keep it up for a day or so but forgot to turn it off. With a million hotfixes installed I presumed not much damage could be done except my files being deleted.
I'll probably try warftpd next. Thanks shepd for that tip.
posted by springload at 1:11 AM on June 29, 2005
When this happened to us, we had to use a Unix box to log in and remove the folders, as the hacker had used naming conventions that Windows didn't recognize, using ~ characters and that sort of thing.
In our case we happened to have a SCO UNIX box on the network, so we just logged in and deleted directories.
S/he had also left some stuff to re-hack, so be sure to check everything and everywhere.
posted by Elvis at 9:51 AM on June 29, 2005
In our case we happened to have a SCO UNIX box on the network, so we just logged in and deleted directories.
S/he had also left some stuff to re-hack, so be sure to check everything and everywhere.
posted by Elvis at 9:51 AM on June 29, 2005
purephase writes "Anyway, take the short name. It will most likely be in the format FOLDER~1 (or similar). Just run the following command to remove the folder:
"rd FOLDER~1"
I have a like problem file only in Windows 2000. The comand line will not allow the rd comand because the target folder is not empty. Any ideas?
posted by BeerGrin at 3:46 PM on June 29, 2005
"rd FOLDER~1"
I have a like problem file only in Windows 2000. The comand line will not allow the rd comand because the target folder is not empty. Any ideas?
posted by BeerGrin at 3:46 PM on June 29, 2005
This thread is closed to new comments.
posted by bshort at 8:04 PM on June 28, 2005