Security Incidents mailing list archives

RE: pubdestroyer2001.exe via anonymous FTP?

From: "Benninghoff, John" <JABenninghoff () DainRauscher com>
Date: Thu, 27 Sep 2001 15:38:34 -0500

You can remove files like this using the POSIX subsystem.

http://support.microsoft.com/support/kb/articles/Q120/7/16.asp

-----Original Message-----
From: Slivkoff, Michael M [mailto:michael.slivkoff () eds com]
Sent: Thursday, September 27, 2001 1:49 PM
To: 'incidents () securityfocus com'
Subject: RE: pubdestroyer2001.exe via anonymous FTP?

I had a problem like this.  I had an upload directory on anonymous ftp
that
was set write only.  Some wonderful person tagged it with a directory
called
com1.  Couldn't get rid of it for the life of me (win2k system).  I
still
have a write only anonymous upload directory, but I disabled directory
create.  Anyone know how to get rid of a directory named with a
system-reserved name? Other than deleting the drive.  And how would you
create it in the first place?

-----Original Message-----
From: Patrick Andry [mailto:pandry () wolverinefreight ca]
Sent: Thursday, September 27, 2001 12:47 PM
To: Mike Shaw
Cc: incidents () securityfocus com
Subject: Re: pubdestroyer2001.exe via anonymous FTP?

Mike Shaw wrote:

I'm working with someone who had unwittingly left an anonymous ftp 
server available to the 'net with write access.

The good news: nice mp3 and Divx collection.
The bad news: In the root there was a file named pubdestroyer2001.exe 
that we had some trouble deleting.  There were many spaces at
the end of the file name.  We were able to nix it by deleting the 8.3 
file name.

Has anyone seen this before?  Anyone interested in a copy of the file?

Thanks
-Mike

------------------------------------------------------------------------
----


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and 
tracking system please see: http://aris.securityfocus.com


Undeletable files are a norm among warez sites.  Also hidden and/or 
undeletable directories are also a trademark.  There was a discussion 
here about it a few months back.  Essentially, it's a last ditch effort 
to prevent the sysadmin from cutting off the warez ftp.  Usually keeps 
the site going for a few minutes extra :)



------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

pubdestroyer2001.exe via anonymous FTP? Mike Shaw (Sep 27)
- Re: pubdestroyer2001.exe via anonymous FTP? Patrick Andry (Sep 27)
- <Possible follow-ups>
- RE: pubdestroyer2001.exe via anonymous FTP? Slivkoff, Michael M (Sep 27)
  - RE: pubdestroyer2001.exe via anonymous FTP? Chip McClure (Sep 27)
- RE: pubdestroyer2001.exe via anonymous FTP? Benninghoff, John (Sep 27)
  - Re: pubdestroyer2001.exe via anonymous FTP? Kevin Reardon (Sep 27)