A hacker put a folder on my server-it cant be deleted!!!

[pollux0]

I found a folder called "t@gged" on my server. I cant seem to delete it. Anyone have any sugestions? I am unable to go to the security properties on the folder under administrator account.

 

[lionborn]

Go to the top folder, or ROOT partition and take the ownership (in Advanced properties of the security tab). Than try to delete it again

 

[pollux0]

I tried but an error pops up saying "cannot find the file specified"

when I try and delete it I get "cannot read from the source file or disk"

 

[Jasen]

drop to a cmd session, and run "dir /x" in the parent directory. This will tell you the 8.3 filename. Now just delete that name with the "del" comand. The 'l33t haxor simply inserted an invalid character into the name. That character won't show on the 8.3 format name.

 

[pollux0]

It almost worked!! It worked but when I go back into windows, it is still there!

 

[brontosaurus]

run a CHKDSK on the drive in question and see if it comes back with any errors. If so, use the /F switch to fix. I've seen this type of problem corrected this way.

 

[dmrrfld]

Hi, We had this problem on a server in development. We tried everything listed so far, none of them worked. We finally just formatted the partition. Since we had an image of the drive before this happened, it wasn't a big deal. However, if it is a production server, I guess this could be a big problem.

 

[Guest_imported]

works. Drop a cmd and RD will remove the directory listed by the dir /x command. Make sure all contents on the parent are gone before dropping the RD command.

 

[brendangriffin]

What filesystem is the file located on? I had a problem a couple of years ago with a similar error message, I converted the filesystem to NTFS and I could then delete the file, a long shot but it could work!

 

[Guest_imported]

If you have been hacked, I suggest that you reinstall your server.
You never know what else the hacker has put in your system.

 

[Guest_imported]

The T@gged folder is a zombie trojan used in DOS attacks. Use the program trojan eliminator to easily detect and remove it. it is free for like 30 days. That is an old trick and you should be able to use TE without even updating its database.

 

[Bastian]

The rd command seems to work here when I maked a weird dir to test.

 

[Guest_imported]

where would i find this elusive trojan eliminator? I did a search with Google and found nothing...

 

[Waynepool]

Sounds like a virus problem. Would not hurt to download the Nimba and Sircam fix from Norton and give it a shot. We had the same problem with one of our servers. When we put the server online for the first time, it became infected with the Nimba virus before we has a chance to load the service packs. Now, we load all service packs and fixes for server 2000 and Explorer 5.5 from a CD-RW copy that we made, then the server is put on-line. I ran the Nimba fix and the files were deleted, that would not delete.

 

[Jasen]

No, it's not always a Trojan. Some hacker punks will just go to whatever directory has write access and create a folder with invalid characters. I'm not sure of the process by which they do it exactly, but I've seen it several times. They'll name it something like %,-L33t H4xors 0wNZ J00-,% or something similarly idiotic. I've killed a couple of them for friends by deleting them from the command line. They were on ntfs partitions too. Remember, you're unique... just like everyone else.

 

[Waynepool]

jasen is right. It's not always a Trojen. I have ran accross the same thing as jasen has, with no explination. Even my log files and firewall failed to show any wrongdoing.

 

[seanhurlburt]

you need to get into the POSIX system. learn about deleting files via the POSIX commands and character set. It is done from the CMD prompt and will fix your problem.

 

[MetsFan]

Go to the command prompt. Get the full name of the directory and any other directories that are under it. If there are any other directories under it, remove them first with the rd command. If there are any text files that are under any of these directories, take them out by using the attrib command in DOS. This way you will be able to remove the directory. Once you have all files removed from a directory, you can then delete the directory. This should work as it happened to my company about 2 months ago and we were able to fix it with this process. Eddie Martin
Network Support Technician
eddie@digitechcomputer.com

 

[Guest_imported]

rd worked for me, get the 8/3 file name by using dir /x. Then type 'rd /s folder name', /s is for all subdirectories.

Walter Ikomi
walter.ikomi@vi.net

 

[Freddyj]

I'm having the same problem. Hackers are creating strings of folders and files and hiding huge mpg and avi movies in them, eating up any unsed space on my harddrive. I've turned off IIS FTP access, hoping to keep them out of my server. Does anyone know how they access servers? Are they using port 21?