Have you tried this?

http://support.microsoft.com/support/kb/articles/Q131/7/02.asp

Laura Robinson
----- Original Message -----
From: "Marty Block" <martykesem.net>
To: "Securtiy focus microsoft" <FOCUS-MSSECURITYFOCUS.COM>
Sent: Thursday, June 21, 2001 2:47 PM
Subject: Problems being an FT dump site - any suggestions for recovery??

>
> Hi all,
>
> OK - so I didn't follow all the advice I read in the threads that come
> across, so don't laugh when I tell you we ran out of bandwidth AND disk
> space when someone found our Default FTP site open and discovered our
robust
> connectivity...... anyway
>
> The perptrator used the servicepak 4 directory which was in 'c:\temp'as
the
> 'root' of their file stor. They placed a directory called "
> .DIGITALsOOk " in a folder 2 or 3 levels deep in the directory.
>
> After a review of the FTP logs, I see that the uploads look like the
> following:
>
> 08:28:37 212.100.180.36 [139]sent
>
/TEMP/SP4RK/setup/sysfiles/+++++++.+++++DiGiTaLsOOk++++/++LPT1+/+Noritaka/SA
> N.KU.KAI.CD1.FRENCH.DVDRIP.VCD-RYO-OHKY/ryo-skk1.r34 226
> *********************
> Note that the items that appear as spaces in the windows dialog box showup
> as "+" signs in the ftp log.
>
> My real problem is this: I need/want to delete these directories and the
> files that exist under them but cannot 'see' thme with normal windows
> facilities. Any suggestions on how to get rid of them? Any tools that you
> all are aware of that might help me 'fix' the entry to be able to get rid
of
> it??
>
> Also - FYI - below are some other traces of activity. ANy observations you
> may have would be appreciated - I not that there were several files of
exact
> sizes placed on our server as test files for speed and reliability.. These
> folks have a real 'machine' in place to find and exploit servers.
>
>
>
> Here's where they put a file of exactly 1 meg in size in order to test our
> connectivity....
>
> 19:24:50 193.251.13.63 [98]USER anonymous 331
> 19:24:50 193.251.13.63 [98]PASS mailnot.set 230
> 19:29:47 193.251.13.63 [98]sent /Scan+by+GuGu+for+sOOk/.tagged+GuGu/1MB
550
> 19:31:17 193.251.13.63 [98]created 1MB 226
> 19:32:09 193.251.13.63 [98]QUIT - 227
> *****end of dump
>
> I also noted these entries:
>
> 15:00:03 193.253.243.123 [104]created ryo-ken2.r05 226
> 15:04:01 193.253.243.123 [100]created ryo-dbz6.r07 226
> 15:05:06 193.253.243.123 [104]created ryo-ken2.r06 226
> 15:07:02 193.253.243.123 [104]created ryo-ken2.r07 426
> 15:07:52 193.253.243.123 [104]created ryo-ken2.r08 426
> 15:08:17 193.253.243.123 [104]created ryo-ken2.r09 426
> 15:08:30 193.253.243.123 [104]created ryo-ken2.r10 426
> 15:08:40 193.253.243.123 [100]created ryo-dbz6.r06 426
> 15:09:16 193.253.243.123 [109]USER anonymous 331
> 15:09:16 193.253.243.123 [109]PASS mailnot.set 230
> 15:10:47 193.253.243.123 [109]QUIT - 250
> 15:11:07 193.253.243.123 [110]USER anonymous 331
> 15:11:07 193.253.243.123 [110]PASS anonymouson.the.net 230
> 15:15:01 193.253.243.123 [110]sent /_NavCSrv.Log 550
> 15:15:01 193.253.243.123 [110]sent /_NavCSrv.Log 426
> 15:16:05 193.253.243.123 [110]created ryo-dbz6.nfo 226
> 15:20:55 193.253.243.123 [110]created ryo-dbz6.r00 226
> 15:26:31 193.253.243.123 [110]created ryo-dbz6.r01 226
> 15:31:17 193.253.243.123 [110]created ryo-dbz6.r02 226
> 15:37:22 193.253.243.123 [110]created ryo-dbz6.r03 226
> 15:47:46 193.253.243.123 [110]created ryo-dbz6.r04 226
> 15:49:40 193.253.243.123 [111]USER anonymous 331
> 15:49:40 193.253.243.123 [111]PASS anonymouson.the.net 230
> 15:53:10 193.253.243.123 [110]created ryo-dbz6.r05 226
> 15:57:42 193.253.243.123 [110]created ryo-dbz6.r06 226
> 16:48:55 193.253.243.123 [112]USER anonymous 331
> 16:48:55 193.253.243.123 [112]PASS anonymouson.the.net 230
> 16:51:06 193.253.243.123 [112]QUIT - 550
> endofdump
>
> Any suggestions on products or NT command to get rid of the directory?
>
> thanks
> Marty
>
>
>
> Marty Block
> Kesem Technology
> www.kesem.net
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]