Results 1 to 7 of 7

Thread: Funny folder

  1. #1
    Junior Member
    Join Date
    Dec 2004
    Posts
    3

    Funny folder

    Hi evevryone,

    Im one of those over worked underpaid sysadms, so i'll just get straight to the point My inaugral first post, thanks.

    Anyways, it was a dark and stormy night when i left the office, after spending 18 straight hours on the system, seting up some servers(between playing Rome:Total War, that is). The last thing i did was to configure 2 installations of Microsoft IIS 5.0 and put them on the net, one being a web site, and the other being a ftp server. I was banging around with it, and was testing the permissions. It looked okay, so i clocked off and went back.

    The next morning when i came back in, and a routine check revealed that there is this folder in the inetpub\ftproot that i didnt create. Its called 'S 33404 ' and i certainly didnt put it there. A quick netstat revealed a ftp connection to my server and i realised i had forgotten to revert the permission to 'read only'. I shut down the service immediately, and tried to delete that folder, but to no avail, it could be not deleted.

    The folder doesnt seem to be doing anything at the moment, i have checked the contents, but its still sticking around. My questions is: how do i get rid of it? Any suggestions would be really appreciated. In fact, i'll fall in love with you if you can tell me how to delete it BEFORE my boss finds out
    sincerely,
    cow.

  2. #2
    Sounds to me like your server's been compromised (duh I know that was an obvious answer by me). Couple questions (dont be affended please):

    * System up-to-date with MS patches?
    * What ports are you allowing through your firewall to the server?
    * Have you stopped/disabled all unecessary services?

    That folder cant be deleted probably because there's a process holding something in it open. Try booting into safe mode and remove it. I would also suggest you install some sort of trojan hunter such as Trojan Defense Suite (TDS3) http://tds.diamondcs.com.au/index.php?page=download and scan your system while in safe mode.

    A rootkit hunter might also be a good thing to run but I've never used one nor which to recommend so someone else here might suggest something.

  3. #3
    Junior Member
    Join Date
    Dec 2004
    Posts
    3
    Thanks for taking the time to reply.

    No worries about any offence, usually its failure to do the simple things that i get into a bucket of **** To answer your questions

    1. All server are at the latest pathes.
    2. Port 21, 80 and plus any system ports. NAT is handled by the fireall, too...
    2. Only FTP and Web is running there.

    Here is the error message i get when i try to delete the folder:

    'Cannot delete file: cannot read from source file or disk'

    Does this mean that a process is still holding on to the folder?
    sincerely,
    cow.

  4. #4
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    You may experience the following symptoms on your Microsoft Windows 2000-based File Transfer Protocol (FTP) server:
    • New folders appear that do not belong in your FTP file structure.
    • When you try to use Windows Explorer to remove the folders from an FTP site, you may receive one of the following error messages:
    Access is denied
    Cannot delete File_name : Cannot read from the source file or disk
    • When you try to use the RD command to remove the folders from an FTP site, you may receive the following error message:
    The system cannot find the file specified
    • When you view the Properties dialog box for the folder, the Security tab is missing.
    • The new folders may have names such as Com1, Lpt1, CON, and PRN. Typically, these names are reserved for exclusive use by the operating system.
    CAUSE
    This problem may occur if a malicious attacker has damaged or altered the FTP site.
    RESOLUTION
    To remove these folders, use one of the following methods:

    Method 1
    Use the RD "folder_name /" command to remove the folders. For example, at a command prompt, type RD "folder_name /", and then press ENTER.

    Note You cannot use this method to remove a folder unless the folder is empty. Therefore, you must remove the folders, in order, starting from the folder at the end of the folder hierarchy.

    Method 2
    Use the folder short names to remove the folders. To determine the short names for the folders, type dir /x at the command prompt.

    Note This method applies even though the folders apparently do not use long file names.

    For example, if you have a folder that you cannot remove that is named "Test", follow these steps to remove the folder:
    1. At the command prompt, type dir /x. Information that is similar to the following appears:

    Directory of C:\Inetpub\ftproot\foldername

    02/26/2004 05:10p <DIR> .
    02/26/2004 05:10p <DIR> ..
    02/26/2004 05:10p <DIR>TEST~1 test

    In this example, the short name for the "Test" folder appears as "TEST~1".
    2. Type RD test~1, and then press ENTER to remove the folder.
    Note You cannot use this method to remove a folder unless the folder is empty. Therefore, you must remove the folders, in order, starting from the folder at the end of the folder hierarchy.

    Method 3
    You may not be able to use the methods that are provided earlier in this article to remove the folders, if the folders are using names that are reserved by the system. In this case, or if you want to perform a bulk operation and remove many folders with one command, you must back up the FTP structure, and then type RmDir \\.\ path\ftproot\folder_name /s to remove the FTP file structure. To do this, follow these steps:
    1. Use Microsoft Windows Backup or your preferred backup program to back up your FTP folders.
    2. Close Windows Explorer or any command prompt windows that may access the FTP folder structure.
    3. Remove the FTP component of Internet Information Services (IIS). To do this, follow these steps:
    a. In Control Panel, click Add/Remove Programs.
    b. Click Add/Remove Windows Components.
    c. Click Internet Information Services, and then click Details.
    d. Click to clear the File Transfer Protocol (FTP) Server check box, and then click OK.
    e. Click Next, and then click Finish.
    4. Type RmDir \\.\ path\ftproot\folder_name /s at the command prompt, and then press ENTER.

    For example, if your FTP root folder is in the default location in the C:\Inetpub folder, and the damaged FTP file structure is in a folder named "Test", type the following command, and then press ENTER:
    RmDir \\.\C:\Inetpub\ftproot\Test /s
    Warning This command will permanently delete the FTP file structure and all files that the structure contains. Verify that you have a working backup before you perform this step.
    5. Type Y to verify.
    6. Reinstall the FTP component of IIS. To do this, follow these steps:
    a. In Control Panel, click Add/Remove Programs.
    b. Click Add/Remove Windows Components.
    c. Click Internet Information Services, and then click Details.
    d. Click to select the File Transfer Protocol (FTP) Server check box, and then click OK.
    e. Click Next, and then click Finish.
    7. Use your backup program to restore the FTP structure that you want. For example, configure the restore process so that the problematic folders are not restored.

    Method 4
    To use the WebDav tool to remove folders with reserved names, follow these steps:
    1. On a Windows 2000-based computer, install the Front Page Server extensions if these extensions are not already installed.
    2. Click Start, point to Programs, point to Administrative Tools, and then click IIS Manager. Expand the server object, right-click the default Web site, point to New, and then click Virtual Directory. The Virtual Directory Wizard appears.
    3. On the first page of the Virtual Directory Wizard, click Next. On the Virtual Directory Alias page, type an alias for the new virtual directory, and then click Next.
    4. On the Web Site Content Directory page, locate the path of the folder that contains the files that you want to delete in the Entire Path to the Directory That Contains the Content box. Typically, this location is %winroot%\inetpub\ftproot.
    5. On the Access Permissions page, click to select the READ, WRITE, and BROWSE check boxes. Click Next, and then click Finish.
    6. Start Internet Explorer. On the File menu, click Open, and then click to select the Open as Web Folder check box.
    7. In the Open box, type the Web address for the Virtual Directory site that you just created and that contains the files that you want to delete. For example, type http://IP_address_of_the_Web server/Virtual_Directory_alias_from_step_3, and then click OK. Do not go to the ftproot or another folder where the reserved name may have been placed. The folder will appear in the browser window.
    8. Delete any suspicious files or folders. To delete a file or folder, right-click the file or folder, and then click Delete. If your ftp server requires authentication to access the server, an authentication dialog box appears. You must have administrative credentials to delete folders or files.
    Wrom: NNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFA
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  5. #5
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    http://support.microsoft.com/?id=811176

    There must be a bug I cant get the URI to work in the above post.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  6. #6
    Junior Member
    Join Date
    Dec 2004
    Posts
    3
    Ooooh... thank you thank you thank you thank you thank you thank you thank you thank you thank you thank you thank you thank you thank you thank you thank you thank you thank you thank you thank you thank you thank you thank you thank you thank you thank you thank you thank you thank you thank you thank you!

    Exactly what i was looking for. What were the key words you used?

    PS. You too, ric-o!
    sincerely,
    cow.

  7. #7
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    inetpub\ftproot
    Not exactly rocket science, you just need to know what to look for.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •