Link to home
Start Free TrialLog in
Avatar of miqueltaule
miqueltaule

asked on

My own expirience with com1 folder tagged with warez under

My own expirience with com1 folder tagged with warez under
windows 2000 server


by Miquel Taule - Catalonia - Spain

And here's my history...

They where there :

Last day we decided to upgrade our old w2000 internet server for
a new one, about 3 weeks configuring the machine.. all service
packs installed, Mcafee netshield , we use Argosoft Mail Server
for mail mail and Serv-U for the ftp server, our internet server
is connected in a lan of 8mb line.

Well, my old server had only 40 Gb of hd space and this one had
two new 120gb hdd :) a lot of space for me, well here we going..

About 3 weeks later :

I check the freespace of my new server and something was going
wrong, it was only 70gb free.. and I thought my old server only
was using 20 gb of space , what's going on with that space ¿?
there are 60gb used and I don't know where..

First contact :

My first option was execute a file search with some filter, show
files bigger that 10000 kb.. only showed me windows and similar
files, I still didn't know where was this space located about
60gb of my first hdd was being used and I didn't know nothing!!

I supose that there are a lot of software utilities for windows
that whill show a chart of % disk usage for every folder..

I used this one TreeSize form JamSoftware
http://www.jam-software.com

This utility let me know that there was a folder containing more
than 60gb of stuff!! surprise!

The investigation :

The folder was located in this path :
c:\winnt\system32\spool\prtpros\w32x86\null\com1\

Windows Explorer was unable the open that folder and it hanged
every time. Windowzz :(

second option..

open a command line process with cmd.exe (Start button - Run )
or winfn+r

I walked throught the directories and I stopped here

c:\winnt\system32\spool\prtpros\w32x86\null\

From this point I was unable to continue.., so I checked that
the next folder was named COM1m COM1..4 is a reserved
string-word for Windows system and this one can't be explored
with conventional windows software.

I also tried other windows software explorers (don't work) and
also  tried to find the norton utilities (remember those
wonderful years with the norton utilities and ms-dos, we could
change anything of the FAT)..so FAT this is the problem, Norton
Utilities can be installed in a Widows 2000 server.. agh!! (I
read this in an article posted by a man that lived the same
expirience! He was my inpirator in writing this article.


The Windows 2000 Server file system is in NTFS format and this
difficults to fix the com1 folder name or deleteit.

I could see the path structure by using this command : DIR dir
c:\winnt\system32\spool\prtpros\w32x86\null\ /s

Incredible , my server was full of divx files and other stuff!

Atention, may be your warez folder name include hidden
caracters, to check this type dir /x , you'll see the results in
a formated way. Very useful! (but this was not my case)

The Mission :

My mission, obiously was delete this file structure that
contained 60gb of warez stuff and then check how the hackers did
it, and of course fix the problem.

First I tried to use the standard DEL (delete msdos file
command) , like this del
c:\winnt\system32\spool\prtpros\w32x86\null\*.* /s /q   /s =
scan subdirectories /q = quiet mode (no confirmation)

This didn't work, File Access Denied , something is using the
file ? I tried the comman net files , that show the files
in the network that are in use, but there was no listing.

No, all the files where locked on a strange way.. so I decided
the search help on the net..

I always use Google, it's the best internet search engine.

I find a lot of information on the net talking about my problem
but nothing seems to work.

I find in a Microsoft bulletin security article a solution to
delete the fatal COM1 Folder , the solution was the following :

RmDir \\.\C:\YourFTP_ROOT's_PATH\COM1 /s /q /s = subdirectories
/q=quitet mode.

Take a look this is a different way to delete this folder, and
you'll guess , it worked ?

Of course, not.

No, It didn't worked, and the problem was that I couldn't get
access to the file , access denied.

So, let's start again..

The Mission part ][ :

Back to google... again..

Now I searched for any tool that let me check If I had any
trojan installed in the machine.

I would check all running services and all starting apps. <End
of Translation> .

Misteriously the file msconfig.exe was missing, so I copied the
file from another computer by ftp.

I didn't say this before , but I controlled allways the machine
using pc anywhere

With msconfig, I didn't see any strange line.. and all running
processes where normal..


The trojans scanners (I tried 5 different proggy) did not find any
suspicious file, so I suposed that hackers grant access to my
site breaking in with some windows exploit, must say that there
are too much exploits!! Windowzz! hahg!

While checking again the file structure for the com1 folder I
noticed that there was a file appearing a lot of times named
.IOFTPd

I found in google that this software is a trojan, it's a file
server and bot to control the infected machine, usually used by
hackers for grabbing any king of warez (pirate software and
contents), like mp3, divx, isos,etc.. http://www.ioftpd.com

Well, nothing found on the net about uninstalling this program
(Ioftpd..), but I read that I can access to this folders by
using flashfxp (that is compatible with these folder types)

I've been using flashfxp for 6 years, it's a good ftpclient.
http://www.flashfxp.com

The Battle :

Well, back to the problem..

I thought that there will be a file utility that will delete the
file path for com1 folder radically..

And the case is that, I found a lot of utilities on the net but
only 2 where too good for this..

1st : forcedel.exe - Force delete of the file, even if being
used because tries to finish the attached process.
                 
Indepentend programmer -
http://www.codeguru.com/files/ForceDel.shtml

2nd : takeown.exe   - This utility will let you grant access to
the file as administrator , this file is located in the
Windows Resource Kit CD for Windows 2000 Server, also
can be found here -
http://www.petri.co.il/download_free_reskit_tools.htm

When trying this utilities I could delete all the files
contained in the directory.

The process was the following , first use takeown.exe like this
: takeown file1.txt this will reply : File access granted

then you can use simple DEL file1.txt or try the forcedel.exe
file1.txt

And that's it , takeown.. and del ?

No, there where a lot of files in the folder,
so manually can be practically impossible , so
I created a batch process.

Using these steps..

 1) List folder contents using > like this : dir /s /b /a > trash.bat
 2) Do it twice , create a trash2.bat, you'll why...
 3) A file named trash.bat and trash2.bat are created with all files names here
 4) with notepad I modified trash.bat text lines using search&replace adding takown.exe "filename"
 5) with notepad I modified trash.bat text lines using search&replace adding forcedel.exe "filename"
   can also use the del command
 6) Finally execute first the trash.bat and second execute the trash2.bat
 7) that's all..files are deleted.
 

Do you think that this is the end of the story ?

Of course, no.. :) but I'm still inspired..

There was still a problem concerning to this, the files where
deleted but the directories that where inside in the tree where
still there!!

And takeown.exe does not solve this problem, so I had deleted
the files but I've still the structure, because can't access to
the com1 folder.

Then..

The Final Battle ][ :

I remembered Flashfxp.. mmmm... let's try to access to the ftp
site.. like administrator from the c: .. and I could surf upto
the com1 level , but I coudn't enter inside.. then I was back to
windows and copied using copy&paste the next folder of com1,
that was "Appz", so I made a manual change dir jumping to...

 C:\YourFTP_ROOT's_PATH\COM1\Appz

Note : that maybe your file structure contains hidden  caracters
like alt+255, to check this using flashfxp go to directories and
search for a "Raw directory listing option"..

Also, remember that you can connect in localmode in flashfxp

If the folder had spaces , that the change dir option will be
with this (i.e. C:\YourFTP_ROOT's_PATH\COM1\Appz\ \)

Well, this finally, let me enter the fatal com1 directory.

From there I could delete all file structure downto the com1
folder, so know I have only to delete the com1 folder.

Once again, I remembered the Microsoft Bulleting I had read..
and used the following commnand again..

 RmDir \\.\C:\YourFTP_ROOT's_PATH\COM1 /s /q

Rmember that the first, time this command didn't work for me,
but know the folder is empty and no file with access denied will
be found.

Guess what ?

Know , finally this command gives me no error and after checking
it with a DIR /a command the COM1 folder was finally deleted!!!

The Victory :

To block hackes attacks I configured the tcp/ip filtering
rules, in advances options of the lan connection,
only allowing to use the ports for mail,ftp and web services,
at the moment this fixed my security hole.


After drinking a pair of spanish beer.. and smoking a cigarrete,
finally I finished the job, a hard job I think.


Hope , this text will help to those people that have the same
bad expirience as me.


 This was..

 Miquel Taule  
 from Esparreguera (Barcelona) - Catalonia - Computer programmer



Note : Remember that at the begginig of this text, I was saying
that the new server had 2 hdd.. jeje.. the second hd that had to
be empty and 20gb of warez also, It took me 30 seconds to solve
this , I made a quick format for this 2nd dirve and that's all.

Apologie : Sorry for my bad english as I'm a spansh citizen and
this is not my primary language. ;)
Avatar of CrazyOne
CrazyOne
Flag of United States of America image

I am wondering did you use the POSIX mentioned in this article

How to Remove Files with Reserved Names in Windows
http://support.microsoft.com/default.aspx?scid=kb;en-us;120716
ASKER CERTIFIED SOLUTION
Avatar of CrazyOne
CrazyOne
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of miqueltaule
miqueltaule

ASKER


 that's true , msconfig.exe does not come with w200 server

 But I also tried the posix command , it's one of the most utilities
 I tried before .. but posix , couldn't get acces to the com1 folder.

 I've to say that there is a tool named ERD Commander,
 that seems to be very powerful for solving server problems,
 but I didn't find a demostration, only buy for 200 $ :( ahg!

 But this would be my solution, cause the erd commander
 seems to work with a boot cd, and remotely contrlled
 I can put the cd :)

 erd commander seems a must for windows systems
 administrators but I think that it's to expensive.

 Miquel Taule
 Spain
Yeah ERD Commander is a bit expensive but then again if one is going to run a Windows Server OS then it is well worth the money. It can in the long run more than pay for itself. :>)
Also was this one of things you tried

Open a CMD.EXE window.
CD to the top of the mess.
Use: DIR /X /A   to see the SHORT FILE NAMES of the files and directories there.
Use a combination of CD, RD, and DEL and the SHORT FILES names reported with DIR /X to delete your way to the bottom and then back up the tree removing the files on the way down and the directories on the way up.
Most likely there is NOT a protection issue here so you shouldn't need worry about ownership or file protections.

RMDIR [/S] [/Q] [drive:]path
RD [/S] [/Q] [drive:]path

   /S      Removes all directories and files in the specified directory
           in addition to the directory itself.  Used to remove a directory
           tree.

   /Q      Quiet mode, do not ask if ok to remove a directory tree with /S

 Yes, I used the RMDIR, at the begining, as explained in the text.

 But It coudn't get acces to the folder bacause the was a
 lot of garbage inside and locked.

 RMDIR coud't delete a folder wich contained files
  with access denied or in use with bad structure names.


 Hope, Windows 2003 would be better..

 Windows 2002 seems not to control at low level
 the ntfs structure.. we can create whatever you want,
 as seen with ioftpd (there would be a lot..)
 and then windows can't recognize them..

 I think this is a big big error..
You can remove the whole bad directory tree with 2 simple posix commands:

del \\.\C:\baddir /s /q /f            to remove files in all directories
rmdir \\.\C:\baddir /s /q            to remove all bad folders

If you can't delete a file because it's in use, you can get its short name (with complete path) and then put a del command into a batch file, that you can recall for example via win.ini or wininit.ini during boot process.
Malicious files will be erased before they're used.
I have a slightly different twist.  When i try to delete the COM1 dir, I get:

 Directory of C:\Inetpub\ftproot

11/03/2003  08:29p      <DIR>          .
11/03/2003  08:29p      <DIR>          ..
11/03/2003  04:10p      <DIR>          COM1
11/09/2000  11:23p              24,576 ForceDel.exe
11/03/2003  08:29p      <DIR>          NtSystemInfo
11/03/2003  08:20p                  56 trash.bat
11/03/2003  08:20p                  87 trash2.bat
               3 File(s)         24,719 bytes
               4 Dir(s)     810,123,264 bytes free

C:\Inetpub\ftproot>del com1
The filename, directory name, or volume label syntax is incorrect.

For a little more detail, read on:

I know very little about hacking or the like. I have a problem I hope someone can help me with.

My FTP server is getting modified by someone or something. I am running IIS on win2k server. I have NAV Corporate Edition 2.7. I have a hardware-based firewall with ports open for FTP, SMTP, POP, HTTP and Terminal Services. I also have Exchange Server running.

Basically, my FTP site in IIS either has its Home Directory changed to some odd path pointing to a COM1 directory-This directory cannot be deleted. Sometimes the FTP server is stoppped and a version of serv-u is started on its port of 21. One time, my FTP server had its port changed to 51 and the serv-u took port 21.

I have tried POSIX - keeps telling me that the process cannot start and FPORT which has been useful to track serv-u.

I don't know what else to do. Everytime I seem to clear it up, it comes back.
_________________
David H. Little
Chief Technology Officer
RXI Software
Try Delete FXP Files: http://www.jrtwine.com/Products/DelFXPFiles/index.htm

The free download version will delete those kinds of folders with no trouble at all.

Your FTP server is allowing anonymous access, which why/how you are getting tagged in the first place.  If you have to have anonymous access, your only recourse may be reactive as opposed to proactive (removing anonymous access).  Serv-U is being uploaded to your system to provide other FXP-ers access to upload/download files on your server.

-=- James.