FTP Usage

Okay...made the mistake of leaving anonymous ftp usage open on a Win2k server box and opening up the firewall to forward that port. Well, needless to say, I got compromised. I have logs up the yin-yang with all the users. Anyways, I noticed that when it was compromised, the users put in their own directories. Here's an example...

C:\Inetpub\ftproot\.nul\
C:\Inetpub\ftproot\prn.hp.laserjet\

Well, I have about seven different directories that are named with reserved names. So, I can't delete them. Anyone know a way to get rid of them?

Thanks in advance!
Netronix

You could delete them if you used a Linux distro on CD, but I'm guessing you use NTFS and Write support for NTFS is very temperamental in Linux, so thats probably not a good idea.

NTFSDOS?

While logged in as administrator

Take ownership of those folders.

Once you have ownership, make sure that you give administrator(or whoever you are logged in as) full controll.

You may need to stop the FTP service(not sure)

then from a cmd prompt, you should be able to delete them, failing that, you should be able to rename those folders to something else, and then delete them.

I had a friend have the same thing happen. It was quite a while ago, but I think that is what he had to do.

Good Luck,

IchNiSan

p.s. I would consider getting your critical data off, and wipe and reinstall the OS then make sure you have full patches, etc.. etc... I dont know any way for someone to further compromise your box with anonymous ftp access, but that means, I dont know. I do know that I wouldnt trust a box that had been compromised, even if it appeared to only be compromised for hosting pr0n or ripped dvd's on ftp...

with the orn.hp.lasterjet one, if you were to use the command
"deltree *.*.*", that may work. Just use wildcards instead of the real directory names.
and for the .nul one, because you probably have several folders with the period infront of it, try:
"deltree .nu?". I don't know if they will work, but I guess it's worth a try.