OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Brett Moore (brettsoftwarecreations.co.nz)
Date: Fri Dec 14 2001 - 18:57:47 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Requests come through mailing lists at least 2 a month for help in removing
    these warez folders. Somebody who has the time should compile an FAQ on how
    to counter these. If the warez traders have sites with help on how to set up
    these folders, then should security professionals share the same information
    bu in a defence format.

    The problem with the original sender I would take a good guess is the
    alt-255.
    Other problems include invalid file paths etc.

    Most of the replys are the usual but one I don't often see is.

    rd <dirname> /s

    you may need to do a

    del <dirname> /s

    first to delete the files.

    if <dirname> is a invalid name then you may need to move subfolders.

    Of course this is straight from my head whereas an faq would have all the
    answers.

    > -----Original Message-----
    > From: James D. Stallard [mailto:James.Stallardbtinternet.com]
    > Sent: Saturday, 15 December 2001 03:51
    > To: focus-ms-return-2660-securityfocus=leafgrove.comsecurityfocus.com;
    > florian.duerrdimensionx.ch
    > Cc: focus-mssecurityfocus.com; sascha.andreskeatec.com
    > Subject: RE: Antwort: AW: RE: strange exploit in Win2K server
    >
    >
    > Try moving the problem folder to another subdirectory and using the
    > following notation to remove the entire structure:
    >
    > Rd \\.\DRIVELETTER\DIRECTORY
    >
    > Ie:
    > Rd \\.\c:\temp
    >
    > Hope this helps
    >
    > James
    >
    > -----Original Message-----
    > From: focus-ms-return-2660-securityfocus=leafgrove.comsecurityfocus.com
    > [mailto:focus-ms-return-2660-securityfocus=leafgrove.comsecurityfocus.c
    > om]
    > Sent: 13 December 2001 21:50
    > To: florian.duerrdimensionx.ch
    > Cc: focus-mssecurityfocus.com; sascha.andreskeatec.com
    > Subject: Antwort: AW: RE: strange exploit in Win2K server
    >
    >
    > Hi,
    >
    > have you tried to map the drive from a NT 4.0 box and then use rm. This
    > might do the trick.
    >
    > Kind regards,
    >
    > Jens Mickerts
    > Senior Technology Consultant
    > Axentiv AG
    >
    >
    >
    >
    >
    > "Florian Duerr" <florian.duerrdimensionx.ch>
    > 13.12.2001 18:14
    > Bitte antworten an florian.duerr
    >
    >
    > An: <sascha.andreskeatec.com>
    > Kopie: <focus-mssecurityfocus.com>
    > Thema: AW: RE: strange exploit in Win2K server
    >
    >
    > Hi Sascha
    >
    > i've already tried that and it's realy empty.
    > besides, i made a important mistake:
    >
    > rm doesn't run on w2k because of the lack of
    > the posix subsystem ;)
    >
    > BUT the problem is still here. i just can't remove
    > that directory ""!
    >
    > Any more ideas?
    >
    > Thx
    >
    > mit freundlichen Grussen
    >
    > Florian Durr
    > MCP W2K / Systems Engineer
    > Webmaster of www.DimensionX.ch
    >
    > --> http://www.DimensionX.ch
    >
    >
    >
    > hi,
    > > i've got a similar problem with a fiolder "" (empty).
    > > Some hacker created that folder on my public ftp (there's a
    > > need for that)
    > is it possible that the diretory is _not_ "" but " ".
    > not a simply blank but something like AltGr+255?
    > because 'md ' just says the same like 'rm '.
    >
    > ciao sascha
    >
    >
    >
    >