Folder named nothing

[Zirus]

I had my server set as DMZ for awhile (stupid I know, I just forgot to change it back).

Anyways... I noticed my internet was going slow, so I started looking for reasons. ( I have a 2.0mbps connection). I realized that I had several ( ~20) people connected to my server uploading and downloading in this directory I did not make. This directory is named nothing, and I can't delete it from windows or dos.

I did delete everything inside it ( all the w4r3z)...but I can't delete the folder. Does anyone know how? Or, even how it was created in the first place?

and I did close the router... :ninja:

[Sierra]

Have you tried Safe Mode?

[Zirus]

Safe mode as no affect. I just tried it.

The error says:

Cannot Delete File: Cannot read from Source File or disk.

[Nidonocu]

Tried the command prompt? o.o;

[NullPointerException]

Download Cygwin and install the basic package. Add the bin folder to your windows path and browse to the folder using DOS. Then issue rm -rf <folder_name>. If nothing happens try ls -la and check the folder permissions. Chenge then so that you are the owner of the folder and have wrx permissions. Post back if you still have problems. I recall i had the same problem with an ftp server i had left open and that's what i did.

Hope it helps

[SIG]

Try this program:

http://www.softwarepatch.com/software/moveonboot.html

[Zirus]

SIG: I downloaded and installed that program, and it will remove files, but not folders.

NullPointerException: This program will see the folder with a dir listing, but it won't do anything with it. I can change the security options in windows, which I have done, and it doesn't help. Administrator has full control.

:( any other ideas?

this folder doesn't have a name, its not a space, underscore or anything, its just not there. When you get the dir listing from dos, and you look at the file names, the spot for this directory is not there.

[Zirus]

I got it.....

I booted my computer up with Fedora Core 4 Test 3, and I browsed to the network smb share and Linux was able to delete it.

Thanks for your ideas though...

[Aaron P]

Now that the machine has been compromised and you aren't going to reload the OS (how do you know you've removed all the bad stuff?). Go over the machine with this:

RootkitRevealer v1.4

http://www.sysinternals.com/ntw2k/freeware...kitreveal.shtml

Why should I reload the OS after a compromise?:

http://www.microsoft.com/technet/community...gmt/sm0504.mspx

http://www.microsoft.com/technet/Security/tools/detect.mspx

[Zirus]

Yes, I have been considering reformatting the drive, but considering I have 40GBs of info on there, and it takes several hours to copy all that on the network, its a big job. Plus, I don't know if they've changed any of my other files. I doubt they would have, because the logs would show it. ( Even though what that web site says.)

They got in through ftp, and ftp does not have access to the C drive, where the logs were being stored. The logs show one person going into a folder that says "server logs", but the log doesn't show them changing anything. and at the time, the logs were not stored in that directory. ( This folder is on the E, not the C drive. ) I am willing to bet that all my data is clean. I don't think they were here to screw stuff up, they were here to distribute warez.

[Stonkwell Bogtrotter]

Why not just claim ownership of the folder? Right clik, properties, security then claim ownership from there. Once claimed, you should be able to delete it.

[Zirus]

Why not just claim ownership of the folder? Right clik, properties, security then claim ownership from there. Once claimed, you should be able to delete it.

585938506[/snapback]

I did try to do that, but the folder is still named nothing. the fact that it was named nothing was keeping windows from deleting it.

Anyways, I got the folder removed.

[Mattimeo]

Is it worth the compromise of your companies data not to be sure and redo the server? Most people I know in IT value and take security seriously. Your machine was compromised and with that concept at hand, that server was not yours anymore. Are you willing to let a server that came from someone else with malicious intent into your network without being absolutly sure that it will not downgrade the security of your company's network?

I know I wouldn't.

[Zirus]

Its not exactly a company.... but anyways....

I will probably end out backup up the important data and formatting both of the drives. This couldn't come at a worse time, since I had just reinstalled the os about a week ago, and I had every thing working perfectly.

[struct]

Now that the machine has been compromised and you aren't going to reload the OS (how do you know you've removed all the bad stuff?). Go over the machine with this:

RootkitRevealer v1.4

http://www.sysinternals.com/ntw2k/freeware...kitreveal.shtml

Why should I reload the OS after a compromise?:

http://www.microsoft.com/technet/community...gmt/sm0504.mspx

http://www.microsoft.com/technet/Security/tools/detect.mspx

585938453[/snapback]

solid links man!