[Dshield] I've been hacked

Wayne Beckham wbeckham at yahoo.com
Sat Nov 3 18:41:05 GMT 2001

MessageI ran into exactly the same problem.  Once it was resolved - thanks
to the very helpful members of this list - I posted the steps you need to
remove this directory.  The url is

The text is reposted below:

If this is old news to anyone, I apologize.  This had been a problem for me
to solve and I thought I'd share what I found out, in case anyone else runs
into this.

I'd written a while back advising that I'd been hacked and my web server was
doing double duty as a "warez" server.  I hadn't realized anything was amiss
until it caught the Nimda virus.  While scrolling through the
subdirectories, I found a huge amount of disk space was being eaten up by
these warez files.  Getting rid of the files and directories takes some

What happened in my case (this is my second warez attack) is that the
hackers will usually create a subdirectory that looks perfectly normal,
unless you look closer.  In my case, they called it _vti_pvt.  Then under
this they usually create a ton of subdirectories.  Inevitably one of them
will look something like this:


Usually they're much deeper than that, but you get the idea.  They bury the
"com1" deep because that prevents you from deleting anything in between.
Both UNIX and Windows NT Server store each node (such as "comp" and "Unix"
and "com1") as a separate directory. "Com1" is a reserved word in Windows
NT, making it difficult to remove.  Also they'll throw in a few blank
spaces, just to make it harder to get rid of.  So, in my example above, they
appended a few spaces at the end of "com1" making it "com1  " - just looking
at it, it only looks like "com1".  This will become more important later.

Opening up a command prompt, navigate to the suspect sub-directory.  From
there, run DIR, using the /X switch.  This gives you 8.3 equivalent of the
long filename.  So, our "com1  " will look something like this:\

09/19/2001 11:48a <DIR> COM1~002  com1

This is important, because to delete the file, you'll need that COM1~002
name to do it.  If you try to delete "com1", NT can't find that file and you
get an error message.

I had to use the POSIX utilities in Microsoft Windows NT Server 4.0 Resource
Kit to kill those directories. I just needed the command rmdir - a simple
solution once I figured out which command to use.  I later found another way
to eliminate the hacked directories. Issue the command:

RD \\?\d:\inetpub\wwwroot\_vti_txt\tagged\by\###morpheus###\com1~002

Substitute the offending name, com1, prn, etc. The \\?\ tells RD to use
POSIX support when dealing with this file and directory.  One other thing,
since they like to use long strings of characters for subdirectory names,
rename as many of them as you can.  It just makes it easier to get rid of
them.  So, you could rename the stuff above to something eaiser to type,

RD \\?\d:\inetpub\wwwroot\1\2\3\4\com1~002

To empty out the files, I used DEL d:\inetpub\wwwroot\_vti_txt\*.* /S - the
/S switch tells DEL to take out everything in every subdirectory and that
part pretty much works as advertised.  I had trouble with one bizarre file,
but the RD procedure above took care of that one.  I'm not sure what they
did to it to make it harder to delete, I'm just glad it's gone.

Well, like I said, FYI.

  -----Original Message-----
  From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
Behalf Of DAS
  Sent: Saturday, November 03, 2001 06:51
  To: dshield at dshield.org
  Subject: [Dshield] I've been hacked

  This question has been dicussed and answered here already, but I'm still
having a problem.

  I was also hacked, and the following directory was placed on my server:

  c:\inetpub\ftproot\0200~\~~tagged and scanned~~\by\com1

  I did a DIR /X and the com1 directory name does NOT change.

  So I tried the following:

  rmdir /s com1

  But no matter how I try to delete the com1 directory, I get this error:

  "The Directory name is invalid"

  I don't know what else to try.

  Any Advice?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/list/attachments/20011103/10a843fb/attachment.htm

More information about the list mailing list