Hi,

A hacker got onto my ftp server and created weird directories the
directories names have words such as com1 lpt and so on and I am unable to
delete them. What should I do? Thanks.

Frank

While that is really good advice for someone who's been the victim of a
general hacking attack, where it is likely that the attacker has managed to
get their executable code running on the attacked system, this sounds more
like it's a case of FTP "tagging". What happens is that a malfeasant will
scan random addresses on the Internet for FTP servers. When they find one,
they log on as "anonymous" and try to upload a file. When they succeed,
they start uploading any number of files that they want to share with others
around the world, and then they publish your FTP site's location among their
acquaintances. As you can imagine, since this is a mostly effective attempt
to hide their own involvement in publishing these files, most of what is put
onto such an FTP site is illegal in some of the worst ways. Pirated movies
and software are just the start of it - I'm sure you don't need me to go
into great detail as to the sort of stuff that you (and your users) may find
on your servers as a result of this.

You can follow the instructions at http://support.microsoft.com/?id=811176
to delete these directories and files, or, since the files were created
through FTP, they can be just as easily deleted through FTP - use a
graphical FTP client, log on to the server, select the files and/or
directories, and delete them.

This is a natural consequence of having an FTP server (even a private one)
where anonymous access is enabled and "Write" access has been granted to the
anonymous user. Use NTFS permissions to prevent anonymous users from
writing to your system.

In most cases of hacking, the "FFR" - FDISK, Format, Reinstall - approach is
a good one. In this case, however, it does not appear that your system was
hacked - it appears that the unwanted files were uploaded by someone who was
using a regular protocol to do exactly what the protocol - and the
administrator's configuration of that protocol - allowed them to do.
Removing the files and tightening the protection should be sufficient, so
long as you see no other signs of intrusion. I would advise checking the
system to ensure that there are no other signs of intrusion.

Alun.
~~~~

[quoted text, click to view]

unplug from the world
preferably flatten the server and reinstall from scratch since you have no
way to know what else they may have done at this point... but if you must
keep it running:
go search the knowledge base for how to delete directories with reserved
names
scan with every virus and malware scanner you can download
disable anonymous ftp access, change account passwords to real strong
passwords, make sure all your patches are up to date, read a few dozen web
pages about securing iis and ftp servers, install a firewall, then maybe
plug back in and watch things carefully in the future.

[quoted text, click to view]