Security Basics mailing list archives
Reserved named COM1 used as filename - IIS W2K
From: Geo You <gyoung () gldata com>
Date: 1 Feb 2004 11:29:15 -0000
In-Reply-To: <20031212162003.CD21516AF26 () hueymiccailhuitl mtu ru> When a web site is created under IIS on a W2K server, with Front Page extensions there are a number of directories created for Front Page. One of these directories is _vti_pvt and it is created with write permission to all - oops! Hackers continously probe websites looking for this directory and if they find a writable _vti_pvt directory proceed to write an extensive directory structure which is then populated with WAREZ material. It takes about 2 days for hackers to find an open directory on a new website. An unsuspecting web server owner then becomes the host for gigabytes of copyright data and may notice a huge increase in the net traffic through his site as hackers all over the world upload and download gigs of files. In order to prevent the hackers directory structure from getting deleted they will often call the first subdirectory "com1 ", com1 with one or more spaces after it. Since Windows ignores the spaces, the name is intepretted as the reserved name for the serial port. If you try to delete a folder with that name nothing happens except perhaps your window session hangs. Also these directories are not owned by any legitimate user account on the server, so even if Windows didn't treat it as a reserved name, you still would not have permission to access the directory. Attempting to use Posix commands to delete these directories proved fruitless. Properly syntax Posix commands resulted in messages about not having permission to delete the directory or the messages stating the directory was not empty. What did work was: 1.) First get rid of the COM1 serial port from the Windows OS. Either go into the bios of the PC and delete COM1, or go into the Hardware Device Manager and uninstall COM1. You can also try stopping the Plug and Play Service, but so many things under Windows use that service you may have trouble. 2.) Then from dos go to the _vti_pvt directory and issue dir /x This will show you the long and short name of the directory. COM1 with a bunch of spaces will show up as COM1~1 then - ren COM1~1 xxx Rename the file, if it complains about not having permission, its probably because you don't own the file - yet! Since COM1 has been removed from the system you can go back to Windows and right click on _vti_pvt and bring up the properties. Go into the Advance then Owner, highlight the administrator account, click the Replace owner on subcontainers box and hit apply. Administrator can now take ownership of COM1~1 directory. Back to the first screen and make sure that the Administrator and everyone has full rights to the directory and propagate the changes down the directory tree as far as you can. Back to the dos window and rename the directory. Proceed down the file hierarchy to the next directory. You will have to alternate back and forth between renaming directories, then taking ownership of them and setting permissons. It took about 30 minutes to get through a 10 level deep directory structure. System hung twice and had to be rebooted. Obviously this hack of the file structure does some damage to the Windows file system. George Young G-L Data Inc --------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
Current thread:
- Reserved named COM1 used as filename - IIS W2K Geo You (Feb 02)
- IIS Sniffing for newb Edmund Mitchell (Feb 02)
- SV: IIS Sniffing for newb Kim Guldberg (Feb 02)
- Re: IIS Sniffing for newb John LeMay (Feb 02)
- MBSA 1.2 Nagy Gergely (Feb 03)
- Re: MBSA 1.2 Rohan Amin (Feb 06)
- RE: MBSA 1.2 Nagy Gergely (Feb 10)
- RE: MBSA 1.2 Deniz CEVIK (Feb 11)
- Re: MBSA 1.2 Rohan Amin (Feb 11)
- RE: MBSA 1.2 Aditya, ALD [Aditya Lalit Deshmukh] (Feb 12)
- RE: MBSA 1.2 Deniz CEVIK (Feb 12)
- IIS Sniffing for newb Edmund Mitchell (Feb 02)