Posts Tagged ‘Security’

How to: Install APF (advanced policy firewall) for Linux

Wednesday, March 9th, 2011

 

This article explains how to quickly install and configure APF (Advanced Policy Firewall) for Linux.

(more…)

How do I delete directories hackers create on my system?

Tuesday, February 14th, 2006

Occasionally we all make mistakes, we leave anonymous FTP enabled and some 12 year old kid uploads his Britney Spears MP3 collection to your web server. In another instance you find yourself with a 200GB hard drive that you’ve only used 30GB of, but it reports there is only 20GB remaining, and you find out that your RECYCLER folder has been the generous host to a bunch of German pornography for however many unknown months.

Many times simply finding the locations of these files can be a daunting task; we have written an in-depth article that exposes some of the common methods that your average 13 year old N-SYNC fan uses to put his Madonna MP3 collection onto your corporate fileserver in another article. Once you find the files, if you cannot delete them; that is probably one of the most frustrating moments as a system administrator.

To do this, we employ methods from 15 years ago (thanks Microsoft).

If you do already know how to do this, open a command prompt by doing the following:

click start navigate to run type cmd.exe and press enter

Navigate to the parent folder of the questionable content (i.e) the folder named ” . . . . I Jh0000n yoUhz!”

cd e:\inetpub\wwwroot\site

First we take a quick look at the directory to see what we see:

E:\inetpub\wwwroot\site>dir
Volume in drive E is IIS
Volume Serial Number is 1034-05BD

Directory of E:\inetpub\wwwroot\site

03/02/2006 03:26 PM  .
03/02/2006 03:26 PM  ..
12/30/2003 11:22 AM
12/20/2003 11:11 AM  Admin

Do you notice that there is a directory with no label? FTP hijackers and other script kiddies often use this technique to try to mask their activities in order to throw off system administrators and make it harder to delete their “distro sites”. It is in fact very simple to delete these sites:

E:\inetpub\wwwroot\site>dir /x
Volume in drive E is IIS
Volume Serial Number is 1034-05BD

Directory of E:\inetpub\wwwroot\site

03/02/2006 03:26 PM  .
03/02/2006 03:26 PM  ..
12/30/2003 11:22 AM  0200~1
12/20/2003 11:11 AM  Admin

Notice how the directory with no label is actually called 0200~1? That is the true name of the folder on the server. First we will empty the contents of this directory:

del 0200~1

Now we will remove the directory entirely.

rmdir 0200~1

The massive store of Justin Timberlake MP3s is now gone, and young Timmy from Brazil has to fire up Bearshare and start all over again. (Boo, Hoo, Hoo.) The real question is: Do you know how those files got there? If you cannot honestly answer this question, you should read our article “Where’d my Disk Space Go?”

-Drew