Problem solve Get help with specific problems with your technologies, process and projects.

Can't delete mysterious folders from the Web server

I have a problem with the Web server, which I believe was caused by our external contractor who opened a port through the firewall to be used for FTP.

Since he opened this port, we are experiencing problems with the e-mail-server. Also, I tried to upload a file, but I got an error message saying "the disk is full." At first I didn't believe this was possible, so I went to the server. But, lo and behold the server was full. I checked the hard drive and found a bunch of folders that are occupying a lot of space. I tried to delete them, but got an error message that says "Cannot Delete File: Cannot read from the source file or disk."

What can I do? How can I eliminate those ghost folders?

Here is what has probably happened to you:

When that contractor opened up an FTP directory, someone else found your FTP server and started using it for what "they" wanted, which is almost certainly porn, stolen software or both. Here's what you need to do to fix it:

  • Get a command line window open on that box.
  • CD over to where all the trash is.
  • Use the command "DIR /X /A" to find the files. This will show you the short names of the files there. That's what you're going to have to use.
  • You can delete any directories with the RMDIR command, which you can abbreviate to RD. If you use the /S switch, it will delete all the files in the directory (which you probably want to do). If you use the /Q switch, it won't bore you with any warning messages.
  • You can delete any files with the DEL command, using the short file name again.
  • If you have any problems with this, use "CHKDSK /R" to check the disk to see if there are errors on it, and try again.

Should you still have problems -- in case they've put in files with names like COM1 (which Windows won't let you delete), try using the RM.EXE program from the Windows Resource Kit. It is a POSIX-style file deleter (just like the 'rm' command in Unix). You can delete files with it using: rm -d // driveletter / path using forward slashes / filename

For example: rm -d "//C/Program Files/x/y/COM1"

You can delete a whole directory like this: rm -r "//C/Program Files/FolderOfJunk"

Don't forget to close the hole in your firewall. You might also want to shut down the FTP server, as well, seeing as how it was wide open.

You might also want to separate your functions across different machines. What I mean by that is to have a separate computer that is your mail server from one that is an FTP/HTTP server. You've seen why lots of people think that's a good idea.

For more info on this topic, please visit these SearchSecurity.com resources:
  • Best Web Links: Securing the Internet/e-commerce
  • Ask the Expert: The difference between TFTP and FTP
  • Security Tip: Close the FTP open door
  • This was last published in January 2004

    Dig Deeper on Web Server Threats and Countermeasures