[Dshield] Major screwup on my part - any help out there?

Chew, Freeland (Roanoke) FChew at ecpi.edu
Mon Nov 26 18:25:15 GMT 2001

I have no experience with this hack but this is something I kept from a
previous posting.

Hope it helps

Buddy Chew

If this is old news to anyone, I apologize.  This had been a problem 
  > for me to solve and I thought I'd share what I found out, in case anyone

  > else runs into this. 
  >       I'd written a while back advising that I'd been hacked and my web 
  > server was doing double duty as a "warez" server.  I hadn't realized 
  > anything was amiss until it caught the Nimda virus.  While scrolling 
  > through the subdirectories, I found a huge amount of disk space was
  > eaten up by these warez files.  Getting rid of the files and directories

  > takes some doing. 
  >       What happened in my case (this is my second warez attack) is that 
  > the hackers will usually create a subdirectory that looks perfectly 
  > normal, unless you look closer.  In my case, they called it _vti_pvt. 
  > Then under this they usually create a ton of subdirectories.  Inevitably

  > one of them will look something like this: 
  >       d:\inetpub\wwwroot\_vti_txt\tagged\by\###morpheus###\com1. 
  >       Usually they're much deeper than that, but you get the idea.  They

  > bury the "com1" deep because that prevents you from deleting anything in

  > between. Both UNIX and Windows NT Server store each node (such as "comp"

  > and "Unix" and "com1") as a separate directory. "Com1" is a reserved
  > in Windows NT, making it difficult to remove.  Also they'll throw in a
  > blank spaces, just to make it harder to get rid of.  So, in my example 
  > above, they appended a few spaces at the end of "com1" making it "com1
  > - just looking at it, it only looks like "com1".  This will become more 
  > important later. 
  >       Opening up a command prompt, navigate to the suspect
  > From there, run DIR, using the /X switch.  This gives you 8.3 equivalent

  > of the long filename.  So, our "com1  " will look something like this:\ 
  >       09/19/2001 11:48a <DIR> COM1~002  com1 
  >       This is important, because to delete the file, you'll need that 
  > COM1~002 name to do it.  If you try to delete "com1", NT can't find that

  > file and you get an error message. 
  >       I had to use the POSIX utilities in Microsoft Windows NT Server
  > Resource Kit to kill those directories. I just needed the command rmdir
  > a simple solution once I figured out which command to use.  I later
  > another way to eliminate the hacked directories. Issue the command: 
  >       RD
  >       Substitute the offending name, com1, prn, etc. The \\?\ tells RD
  > use POSIX support when dealing with this file and directory.  One other 
  > thing, since they like to use long strings of characters for
  > names, rename as many of them as you can.  It just makes it easier to
  > rid of them.  So, you could rename the stuff above to something eaiser
  > type, like: 
  >       RD \\?\d:\inetpub\wwwroot\1\2\3\4\com1~002 
  >       To empty out the files, I used DEL d:\inetpub\wwwroot\_vti_txt\*.*

  > /S - the /S switch tells DEL to take out everything in every
  > and that part pretty much works as advertised.  I had trouble with one 
  > bizarre file, but the RD procedure above took care of that one.  I'm not

  > sure what they did to it to make it harder to delete, I'm just glad it's

  > gone. 

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.


More information about the list mailing list