Member Avatar for EscCon

I was recently asked to help out with a local server.. when I got here, I found w2k service pack 4, norton anti-virus up to date, but that was pretty much it.. after running the typical gambit of tools, hijackthis, rootkitdefender, ewido, pest patrol, etc, I found a variety of baddies... backdoor.servU-based, heuristic.win32.morphine-crypted, etc.

now I've killed what I think are the bulk of the baddies, moved this box behind a firewall (and I dont' see any more broadcasts) but I want to track down some of the info on how and/or what this creative little (*#&#$&$#) person had done... in addition to serving as a movie/music server.

when I read the report from rootkitdef I see that there are folders under the winnt\system32\inetsrv folder \mandrake\site etc etc

now I can't see any of these files from explorer or IS I can open a dos prompt and get to them or at least some of them.. there are some that even from dos I get a reply "can't access this directory" not a message saying you miss typed it.. or it doesn't exist... but that even as local admin I apparently don't have authority to it..

I do have all the common settings set for show hidden files.. etc...

any suggestions would be very appreciated...

thanks

Dave

  • 2 Contributors
  • 2 Replies
  • 92 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by EscCon

Recommended Answers

All 2 Replies

Member Avatar for BinaryMayhem

eh? you can't see these folders from explorer?
did you check your settings? tools > folder options > view.
make sure you have show hidden files and folders selected AND
have uncheck "hide protected operating system files". that should let you see it in explorer. now right click the file and click the security tab. and make sure you group or admin account has premission to read / write / list / execute stuff on that directory. if not. you need to find an account that does.

remmber... you can't deleted a file that is locked open by an active process. that process must be killed and first.

what error do you get exactly? "access denied!"?

Member Avatar for EscCon

eh? you can't see these folders from explorer?
did you check your settings? tools > folder options > view.
make sure you have show hidden files and folders selected AND
have uncheck "hide protected operating system files". that should let you see it in explorer.

I agree it should let me see them... and yes I have done these steps. They act like a pst or internet cache files.. hidded from sight but if you know they exist.. you can find them.

now right click the file and click the security tab. and make sure you group or admin account has premission to read / write / list / execute stuff on that directory. if not. you need to find an account that does.

I can't get to them via windows, so I can't change the permissions thus my problem.

remmber... you can't deleted a file that is locked open by an active process. that process must be killed and first.

what error do you get exactly? "access denied!"?

and yes the error reads.. access denied... I think somehow someone loaded a linux kernal under a shell.. and that's why I can't get to the stuff....

still open to suggestions..


Dave

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.