You cannot remove suspicious folders from the FTP file structure (811176)


The information in this article applies to:

  • Microsoft Windows 2000 Server

SYMPTOMS

You may experience the following symptoms on your Microsoft Windows 2000-based File Transfer Protocol (FTP) server:
  • New folders appear that do not belong in your FTP file structure.
  • When you try to use Windows Explorer to remove the folders from an FTP site, you may receive one of the following error messages:
    Access is denied
    Cannot delete File_name : Cannot read from the source file or disk
  • When you try to use the RD command to remove the folders from an FTP site, you may receive the following error message:
    The system cannot find the file specified
  • When you view the Properties dialog box for the folder, the Security tab is missing.
  • The new folders may have names such as Com1, Lpt1, CON, and PRN. Typically, these names are reserved for exclusive use by the operating system.

CAUSE

This problem may occur if a malicious attacker has damaged or altered the FTP site.

RESOLUTION

To remove these folders, use one of the following methods:

  • Method 1

    Use the RD "folder_name /" command to remove the folders. For example, at a command prompt, type RD "folder_name /", and then press ENTER.

    Note You cannot use this method to remove a folder unless the folder is empty. Therefore, you must remove the folders, in order, starting from the folder at the end of the folder hierarchy.

  • Method 2

    Use the folder short names to remove the folders. To determine the short names for the folders, type dir /x at the command prompt.

    Note This method applies even though the folders apparently do not use long file names.

    For example, if you have a folder that you cannot remove that is named "Test", follow these steps to remove the folder:
    1. At the command prompt, type dir /x. Information that is similar to the following appears: 
       
 Directory of C:\Inetpub\ftproot\foldername

02/26/2004  05:10p      <DIR>                          .
02/26/2004  05:10p      <DIR>                          ..
02/26/2004  05:10p      <DIR>TEST~1          test
      In this example, the short name for the "Test" folder appears as "TEST~1".
    2. Type RD test~1, and then press ENTER to remove the folder.
    Note You cannot use this method to remove a folder unless the folder is empty. Therefore, you must remove the folders, in order, starting from the folder at the end of the folder hierarchy.

  • Method 3

    You may not be able to use the methods that are provided earlier in this article to remove the folders, if the folders are using names that are reserved by the system. In this case, or if you want to perform a bulk operation and remove many folders with one command, you must back up the FTP structure, and then type RmDir \\.\ path\ftproot\folder_name /s to remove the FTP file structure. To do this, follow these steps:
    1. Use Microsoft Windows Backup or your preferred backup program to back up your FTP folders.
    2. Close Windows Explorer or any command prompt windows that may access the FTP folder structure.
    3. Remove the FTP component of Internet Information Services (IIS). To do this, follow these steps:
      1. In Control Panel, click Add/Remove Programs.
      2. Click Add/Remove Windows Components.
      3. Click Internet Information Services, and then click Details.
      4. Click to clear the File Transfer Protocol (FTP) Server check box, and then click OK.
      5. Click Next, and then click Finish.
    4. Type RmDir \\.\ path\ftproot\folder_name /s at the command prompt, and then press ENTER.

      For example, if your FTP root folder is in the default location in the C:\Inetpub folder, and the damaged FTP file structure is in a folder named "Test", type the following command, and then press ENTER:

      RmDir \\.\C:\Inetpub\ftproot\Test /s

      Warning This command will permanently delete the FTP file structure and all files that the structure contains. Verify that you have a working backup before you perform this step.
    5. Type Y to verify.
    6. Reinstall the FTP component of IIS. To do this, follow these steps:
      1. In Control Panel, click Add/Remove Programs.
      2. Click Add/Remove Windows Components.
      3. Click Internet Information Services, and then click Details.
      4. Click to select the File Transfer Protocol (FTP) Server check box, and then click OK.
      5. Click Next, and then click Finish.
    7. Use your backup program to restore the FTP structure that you want. For example, configure the restore process so that the problematic folders are not restored.

  • Method 4

    To use the WebDav tool to remove folders with reserved names, follow these steps:
    1. On a Windows 2000-based computer, install the Front Page Server extensions if these extensions are not already installed.
    2. Click Start, point to Programs, point to Administrative Tools, and then click IIS Manager. Expand the server object, right-click the default Web site, point to New, and then click Virtual Directory. The Virtual Directory Wizard appears.
    3. On the first page of the Virtual Directory Wizard, click Next. On the Virtual Directory Alias page, type an alias for the new virtual directory, and then click Next.
    4. On the Web Site Content Directory page, locate the path of the folder that contains the files that you want to delete in the Entire Path to the Directory That Contains the Content box. Typically, this location is %winroot%\inetpub\ftproot.
    5. On the Access Permissions page, click to select the READ, WRITE, and BROWSE check boxes. Click Next, and then click Finish.
    6. Start Internet Explorer. On the File menu, click Open, and then click to select the Open as Web Folder check box.
    7. In the Open box, type the Web address for the Virtual Directory site that you just created and that contains the files that you want to delete. For example, type http://IP_address_of_the_Web server/Virtual_Directory_alias_from_step_3, and then click OK. Do not go to the ftproot or another folder where the reserved name may have been placed. The folder will appear in the browser window.
    8. Delete any suspicious files or folders. To delete a file or folder, right-click the file or folder, and then click Delete. If your ftp server requires authentication to access the server, an authentication dialog box appears. You must have administrative credentials to delete folders or files.
Modification Type:MinorLast Reviewed:10/12/2004
Keywords:kbprb KB811176 kbAudEndUser kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.