Unicoded Directory Struture

**astcell** · April 24, 2003, 20:56

I have had similar issues, without going into detail.

First, do you access Kazaa, Napster, or any othert trading site with this machine or anothert machine on the same network? If so, I'd bet that your problem came from there. Once you connect to another's machine via file swapping you'd be amazed at the control you give folks.

Second, I bet you cannot rename the files either. I bet you tried logging on locally with no results, right? There may be a file in there over 256 characters long, that really hoses the system.

Best thing to do to get back to normal is to boot into Windows 98 and delete the file from there. Maybe burn it to a CD to examine it closer if you so desire. After you delete the folder, reboot into your old OS. It'll be gone. And stay away from Kazaa with that box! :>

**blackwave** · April 24, 2003, 21:33

Re: Unicoded Directory Struture

Originally posted by Merciless_Mike
2 questions:
1 What is the exploit that allows this?
2 How to delete these?

d00d.. look what you are running... not knowing what you have an have not patched, there could be millions of exploits out there... on any iis box i have i make sure the first thing I do is modify my isapi filter to not give away what I am running in the first place by scripts alone... regardless your system being vulnerable and then getting hit was bound to occur. tip: Check your logs to see if any commands were ever issued to create all these via http...

A simple way to remove the files is to go into command line (CMD.EXE) and snip it... Windows has a problem with extended ascii characters such as ALT+255 .. it is very possible that the string "con666 ;;; . " is really con666(ALT+255);;;(ALT+255).(ALT+255) in which windows would not be able to deal with correctly or as expected... You get the same errors when trying to remove them. the latest patched XP handles this a little bit different than the previous win32 systems... but it still fucks it up for the users...

**Merciless_Mike** · April 24, 2003, 22:32

snip... don't know that command... I'll look it up though... would a mapped drive from XP work to the 2K box work???

The server is for hosting.... The ISP I work for insists that we use IIS (little does the owner know). Not only that... the owner is insistant on creating these "sites" with no regard to security.... leaves it to me to clean up the mess... I went so far as to lock him out... that lasted about 1 day. I restricted his access and rights... again... lasted about a day. I have repeatedly warned him of the dangers of "Full Control" for ftp users...

Went through the logs and no commands via HTTP... but I did find that it came through FTP... found the mkdir's... with the alt+255... there had to be a bot or script doing these creations, 5 requests from same IP within 1 second... Maybe knowing the exact charaters used might enable me to delete... I will test and post results...

IIS= "Free 2 Own" though the lockdown tool help quite a bit...

**blackwave** · April 24, 2003, 23:27

Originally posted by Merciless_Mike
insists that we use IIS (little does the owner know). Not only that... the owner is insistant on creating these "sites" with no regard to security....

Sorry to hear you work for fucktards, I worked on one project that sucked the same kind of ass, it was based on 90% microsoft software, but was in specific an infosec system (notice the immediate conflict?)... after around 3 months of review I had to explain that this study was over, we were done... this shit wasn't going to work... of course the letter I had sent put a rope around my own neck... but in the end the project was dropped and all went a lot better than expected... now and then i hear rumors of that project reviving.. but they of course are just rumors... <hopefully> ... the moral of the story is sometimes you just have to get psycho and tell them to fuck off... :)

**Merciless_Mike** · April 24, 2003, 23:37

I have said exactly that to the owner on a couple of occasions. He then sees the errors in his ways, stays away from network, but within a month, he's right back at it. Trust me, first job offer/ find, I am out of this hell hold. Pay vs. hours.. suck, I am the admin, which i have done for quite a few years now, and I have finally been hacked.... it was only a matter of time I know...

BTW... I found how the Asians (IP's based out of Asia) got in... Owner, who setup this domain site decided to allow anonymous write access, security... what security??? That is now fixed... as with 3 other domains...

Been a long day...

Thanks BW for the insight on special charaters...

EDIT-- I even voted for me to get a new job.... Thanks guys :)

**blackwave** · April 24, 2003, 23:40

Originally posted by Merciless_Mike
Thanks BW for the insight on special charaters...

You're welcome, glad to see you got it resolved... I used to love to fuck around and put these long ass folders that some of the techs couldn't for the life of them figure out how to remove them... that and the print+screened desktop replacement was the type of humor that existed back in the day in such a dry environment...

**Merciless_Mike** · April 24, 2003, 23:45

Originally posted by blackwave
that and the print+screened desktop replacement was the type of humor that existed back in the day in such a dry environment...

I still do that. I also love the net send messages to my tech's with "You Computer is infected with the 0sh1t.ws32 Worm"

**Merciless_Mike** · April 24, 2003, 23:51

Final Note: When I started with this company, my friend's 3 year old could own any computer in the network... at least now after working here for a year, with few exceptions, you have to at least try a little before you can :)

My Motto: Those that can, do... Those that can't, teach... Those that can't teach, purchase.

**blackwave** · April 24, 2003, 23:55

Originally posted by Merciless_Mike
I still do that. I also love the net send messages to my tech's with "You Computer is infected with the 0sh1t.ws32 Worm"

haha yes.. don't forget the scotch tape on the mouse... I have seen a support manager with a wall full of creds (crud)... drop to his knees after 2 hours of going into safe mode and removing his serial devices because his mouse was working fine before he turned around to refill his coffee cup on his personal coffee brewer... surely between the two of us we can write a few books on "how to annoy people at the office in 3 EZ steps". Ahhh.. the things we do to amuse ourselves... :)

Originally posted by Merciless_Mike
My Motto: Those that can, do... Those that can't, teach... Those that can't teach, purchase.

haha very sweet motto extension indeed!

**encrypt31945** · April 25, 2003, 19:12

Originally posted by blackwave
haha yes.. don't forget the scotch tape on the mouse...

Scotch tape on the mouse?? Never heard of it what do you do? This is probably something everyone knows about except me.:p Or I am just way to tired right now to think straight.

**Merciless_Mike** · April 25, 2003, 20:38

tape the ball... wont move... appears to be dead mouse... better to tape rollers inside, depends on time allowed with mouse...

Also, with the newer optical mice: scotch tape with small peice of paper to cover the sensor.... dead mouse....

There might be better ways, but this is what I do...uhhh I mean that is what I hear people do....

**astcell** · April 25, 2003, 21:10

I used to tape phone receivers, staplers, heck even tape the tape dispenser. You brought back memories for me so I taped down a buddy's mouse today, since he always messes with the knobs on my Aeron chair!

**encrypt31945** · April 25, 2003, 22:20

Ohhh. I was really confused because I have an optical mouse and I was wondering how tape could affect it. I havn't seen a mouse with a ball in about a year. Everything where I live is always new.

Unicoded Directory Struture

Unicoded Directory Struture

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment