RE: pubdestroyer2001.exe via anonymous FTP?

[Chip McClure <vhm3 () hades dnsalias net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Under NTFS, there's no way that I know of to get rid of a directory, or
filename, that contains any reserved filename. In the old days, with FAT,
FAT32, or whatever else, I had the same problem - went in with a hex
editor in the FAT tables and renamed it. If there are any tools like that
for NT/2K, that would be the only solution I could think of.

Creating the file, is a different story. The OS will let you create any
file, with any name. Even with security proccesses in place on NT, you
might be able to thwart it on normal users, but since IIS runs as a system
privledged account - there's no way around that.

- -----
Chip McClure
Sr Unix Administrator
GigGuardian, Inc.

http://www.gigguardian.com
- -----

On Thu, 27 Sep 2001, Slivkoff, Michael M wrote:

> I had a problem like this.  I had an upload directory on anonymous ftp that
> was set write only.  Some wonderful person tagged it with a directory called
> com1.  Couldn't get rid of it for the life of me (win2k system).  I still
> have a write only anonymous upload directory, but I disabled directory
> create.  Anyone know how to get rid of a directory named with a
> system-reserved name? Other than deleting the drive.  And how would you
> create it in the first place?
>
> -----Original Message-----
> From: Patrick Andry [mailto:pandry () wolverinefreight ca]
> Sent: Thursday, September 27, 2001 12:47 PM
> To: Mike Shaw
> Cc: incidents () securityfocus com
> Subject: Re: pubdestroyer2001.exe via anonymous FTP?
>
>
> Mike Shaw wrote:
>
> > I'm working with someone who had unwittingly left an anonymous ftp
> > server available to the 'net with write access.
> >
> > The good news: nice mp3 and Divx collection.
> > The bad news: In the root there was a file named pubdestroyer2001.exe
> > that we had some trouble deleting.  There were many spaces at
> > the end of the file name.  We were able to nix it by deleting the 8.3
> > file name.
> >
> > Has anyone seen this before?  Anyone interested in a copy of the file?
> >
> > Thanks
> > -Mike
> ----------------------------------------------------------------------------
>
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management and
> > tracking system please see: http://aris.securityfocus.com
>
> Undeletable files are a norm among warez sites.  Also hidden and/or
> undeletable directories are also a trademark.  There was a discussion
> here about it a few months back.  Essentially, it's a last ditch effort
> to prevent the sysadmin from cutting off the warez ftp.  Usually keeps
> the site going for a few minutes extra :)
>
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Made with pgp4pine 1.76

iQA/AwUBO7OJqIxq/3tb9j7EEQJA5wCdEsbzQBE2yMb5bT7xQ9Xhy4D8x+kAnAmr
4A7SJWOxVODvEumILxKEN/tu
=3cOp
-----END PGP SIGNATURE-----



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com