ftp was hacked, now have an unnamed folder which cant delete
hey
just came back from holiday, our companies server was hacked while i was away, we seem to have a rogue empty folder which contains 4 folders (3 of them are our main sites ones but they dont open - just says path not found) and one which is labelled ' .....
,,, ;;; ÿÿ T@GG ÿ' which seems to have .rar files called avatar1-18.rar and kleinehart.rar (4 of these), i cant open these files and they seem to have a file size of 0.
when they got access they deleted a lot of folders which we restored from backups, had no problems since, just worried why theres now a undeletable empty which was looks like shadowed .rar files in there.
any help would be appreciated, interesting thing - if i create a new folder in d drive, it appears in the empty folder as well but wont let me access it.
edit: managed to get to the folder via cmd and running dir /x so i can get its ntsf name, it's saying its in use by another process and not allowing me to delete it.
September 13th, 2010 8:34am
Hi,
if your server has been compromised, I advise to reinstall it because, otherwise, you can never be sure of having "clean" it.
hth.
Edoardo Benussi - Microsoft® MVP
Management Infrastructure - Systems Administration
https://mvp.support.microsoft.com/Profile/Benussi
Windows Server Italian Forum Moderator
edo[at]mvps[dot]org
Free Windows Admin Tool Kit Click here and download it now
September 13th, 2010 8:40am
can you (as domain admin or local admin) take ownership of the folder and delete it?
September 13th, 2010 11:35am
This tool may help you determine what process holds the lock.
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Also from a command prompt try;
del \\.\Drive:\directory\filename
(Note: the period between \\ and \)
or
dir /x
and try deleting them using their 8.3 short names.
Regards, Dave Patrick .... Microsoft Certified Professional -Microsoft MVP [Windows]
Free Windows Admin Tool Kit Click here and download it now
September 13th, 2010 11:58am
nope, wont let me delete it that way, just says it cant be find the folder still :/
did a dir /s on it and outputted to a text file, it's almost 9mb and got thousands of folders like "D:\0200~1\ ..... ,,, ;;; ˜˜ T@GG ˜\ ìììdìdìrì˜\ .
. com1`+~;˜;~+ï˜\ ;;;;\ 4\ 27\ 30" that seem to have been created in there. along with various rar files.
reinstall option (to be safe) looks like the way to go - which is just a bit annoying.
September 13th, 2010 12:01pm
Hi,
I understand your current situation, however, with Microsoft support policy, if your computer has virus or be hacked, the only way is reinstall. Thanks
for your understanding.
Best Regards,
Vincent Hu
Free Windows Admin Tool Kit Click here and download it now
September 15th, 2010 5:16am