You have files with strange, suspicious names in your ftp folders that you can not delete via any means. You can't delete, rename, or move them from the command line or from explorer. You receive error messages like, "The system cannot find the file specified", "Access is denied", or "Cannot read from the source file or disk".
You have Internet Information Services (IIS) FTP Server running on Windows. The FTP server had (or still has) write access enabled for anonymous users. Someone accessed the server and wrote directories and files to the ftproot directory. The files were placed there so others could access them.
'Hackers' will scan IP ranges to find FTP servers with write access. Once they are found, the hackers will upload their mostly copyrighted files, which may be warez, movies, VCDs, or ISOs, in parts or whole. The IP address and port of the server are distributed to others via mechanisms such as 0-day lists and IRC. Marked, open FTP servers are called tagged (or t@gged). When others download those files, it is called leeching.
The directories and files may contain spaces and special characters. They might contain Windows file system reserved words. These are COM0 to COM9, LPT0 to LPT9, CON, AUX, and NUL. Windows' built-in methods for deleting the directories must be performed one directory or file at a time. Hackers purposely nest the directories deeply to make the recovery process time-consuming.
directoryfixer.exe DIRECTORYat the prompt, where DIRECTORY is the directory you want to fix.
directoryfixer.exe DIRECTORY > outfile.txtif you want to capture the output, which lists all the old/new file names.)
If you receive "Access is denied" errors, then you might need to take ownership of those files. You can do this manually from the "Security" tab of the file/folder properties. To take ownership of all the files/folders in a tree, you can use Microsoft's subinacl utility as follows:
"C:\Program Files\Windows Resource Kits\Tools\subinacl.exe" /subdirectories c:\inetpub\ftproot\*.* /setowner=Administrator /grant=Administrator=F
DirectoryFixer renames all files and subfolders of the path specified on the command line. It works because it is written in C++ and uses the Windows Unicode MoveFile function directly. The action is irreversible, so make sure you have a working backup of your system before running the program. The renaming algorithm is as follows:
The program requires 100-150KB of disk space and will run on all versions of Windows except Windows Me/98/95.
THIS SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.
The program is free. If you find it useful, please link to this page from your website or send me your feedback here.
You may have to run Directory Fixer and delete files multiple times to clear everything out, especially if you get an error like "Code 183 - Cannot create a file when that file already exists.".
You can see when the activity occured on your FTP server that resulted in the files. Open the directory
C:\WINDOWS\system32\Logfiles\MSFTPSVC1. Use a text editor with multi-file search (like Textpad) to search the log files for the uploaded file names.
To get a text file of all the files/folders that will be renamed, follow these steps:
cd c:\inetpub\ftproot(or the folder you want to list)
dir /b /s > FilesList.txt
Some files and folders can be deleted by simply specifying the short file name. To do this, follow these steps.
dir /xto see the short file names in that folder
rmdir folder~1 /sto remove the folder and all files and subfolders.
Windows XP Professional, Windows 2000, 2003, NT 3.1, 3.5, 4.0, Server, Small Business Server, IIS 5, IIS 5.1, IIS 6.0