FTP t@gged 1

[SgtBeavis]

So I come into work on Monday morning to the news that our FTP server had been hacked. After cussing out the guy that didn't shut down anonymous logins like he should have I got to work cleaning up the mess. The first directories I found were all 8.3 names so I did a DIR /x to get the real names of the directories and deleted them with no issues.

Now for the FUN part. I ran into one family of directories that I cannot deleted. I get an access denied if I even touch them. I was able to gain ownership of the parent directories in this particular tree but not the child directories, thusly I cannot delete them. I installed the POSIX tools from the Win2k server Res kit and tried RM.EXE with -r but to no avail, I kept getting "Operation Not Permitted". Somehow I need to gain ownership of these damn folders. I tried an ls command with -g but for some reason my POSIX tools don't recognize that switch so I cannot find out what groups own these files so I can try and fix this crap. Essentially I want to figure out how to rip them off without having to re-partition and format my drive. Nice little challenge.

 

[doomhamur]

Hello,

This problem is becuase the script kiddie that hacked you made the directories with null ownershit (there is a way to do this, but i have not figured it out exactly). It allows the directories to be used with full permisions but not deleted.

The only way i have found to get rid of them is to reformat the system. If you dont want to do that, just remove all permissions from them, unshare them and leave them alone.

Have a nice day Doomhamur
Network Engineer
"Certifications? we dont need no stinking certifiaction."

 

[SgtBeavis]

Yea, somehow the Security Tab for that folder is gone. I tried using cacls in CMD to gain ownership but no dice. There has to be a way. I'm wondering if I can do this through a Linux box over samba if I mnt the drive. hmmmmm..

 

[Assimilator]

There is a way to do it.

As I mentioned in another thread I know people who do this and may be able to find out from them how to undo it.

I'll let you know if I can rip it out of them or not. -------------------------------
MCSE in training.
Currently I've gone through the following books:
70-210 Win2K Professional
70-215 Win2K Server

 

[GlenJohnson]

I just sent an e-mail off to a friend. He taught the classes I was in for the 70-210 and 70-215 exams. The reason I contacted him is he was on one of the teams that wrote the Windows 2000 O/S. I figure if anybody knows, he should. He's always come through for me in a pinch. I'll let you know what I find out. (Luckily, he was such a good teacher, I haven't had to contact him much, but this one has me stumped.) Good luck. Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us

Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884
"Since we cannot know all that there is to be known about anything,
we ought to know a little about everything."
Blaise Pascal

 

[SgtBeavis]

thx all, I'll keep an eye on this thread while I'm researching this myself.

 

[Lurker828]

I had this problem a while back when Nimba first cam on the scene. Luckly I had a copy of SysInternal's ERD commander. I booted up the server using the ERD boot floppies, and I was bale to delete the folders then. This situation was on an old Compaq Proliant with Win NT server. I haven't tried using the Repair consol in Win 2k yet. I would see if that would work before I go around reformatting hard drives. You need to find a way to boot from another source, cd, floppy, or another hard drive.

Writing of, I guess if you had another system, you could attach the drives and clean it out that way (assuming of course you weren't using RAID)...

Just my 2 cents...

 

[GlenJohnson]

Here's the response I got from the MS freind.

Dear Glen,

The person who did this used WMI (Windows Management
Instrumentation) to edit the security descriptors of
the folders in question removing all entries (security
principals including the original folder owner) from
the accompanying access control list for each folder
(ACL). This results in null ACLs (this is the name of
the problem the writer was experiencing). To find
more information you will need to do a search using
"null ACL" since that is actually what this problem is
called.

If your colleague will go to google and search as
follows:

+"null ACL" +"Windows 2000"

he will get a number of articles that talk about this.

It is too complicated to discuss via email.

The man knows his stuff. Give it a shot.

Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us

Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884
"Since we cannot know all that there is to be known about anything,
we ought to know a little about everything."
Blaise Pascal

 

[SgtBeavis]

Thanks Glen. I'm checking now. I'll let you know how it goes.