View previous topic :: View next topic |
Author |
Message |
CHeeKY Just Arrived
Joined: 13 Feb 2003 Posts: 3
|
Posted: Sat Sep 20, 2003 6:11 pm Post subject: Hiding folder in windows |
|
|
well basically what we're doing here is creating a folder which will
seem like a system folder (i.e control panel/recycle bin..etc..).
What's gonna happen is that when the system admin try's to access this
folder he'll be re-directed to it's source which means:
You make a fake folder that'll look like the control panel,
admin sees that and tries to get in, now instead of getting to the real
folder where your pub is he'll get into his Windows control panel.
But when u'll log in via your ftp client (like FlashFxp for example) you'll see your ftp content.
---how its done---
You just make a new folder named like in the list below
and ta-da!
Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}
Internet Explorer.{FBF23B42-E3F0-101B-8488-00AA003E56F8}
Recycle Bin.{645FF040-5081-101B-9F08-00AA002F954E}
My Computer.{20D04FE0-3AEA-1069-A2D8-08002B30309D}
My Documents.{ECF03A32-103D-11d2-854D-006008059367}
Fonts.{BD84B380-8CA2-1069-AB1D-08000948F534}
oh and You can play with the names but the extension must stay the same, for example:
Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}
You can also call it BIGDIRECTORY.{21EC2020-3AEA-1069-A2DD-08002B30309D}
as long as u got the {21EC2020-3AEA-1069-A2DD-08002B30309D} after the "."
|
|
Back to top |
|
|
Tom Bair SF Boss
Joined: 10 Aug 2002 Posts: 16776955 Location: Portland, Oregon USA
|
Posted: Sat Sep 20, 2003 6:28 pm Post subject: |
|
|
Now that you've shown us the exploit, are you able to show us a solution to the exploit short of formatting the affected hard drive?
I've seen where one or two of our members have been hit with this exploit and I can only recall the solution as being to format the drive.
|
|
Back to top |
|
|
whatwares Just Arrived
Joined: 07 Jul 2003 Posts: 1 Location: Netherlands
|
Posted: Sat Sep 20, 2003 7:08 pm Post subject: |
|
|
I've just discovered that when I made the folder control panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}, I couldn't view it in windows explorer, because I was indeed redirected to the control panel from windows itself. However when I tried to access the folder with Total Commander, I had no problems viewing or changing the contents of that folder in any way.
In other words: try a file manager from another manufacturer to work on those folders, Explorer has it's own way of showing the folders, with a different starting point (the desktop instead of C:\).
|
|
Back to top |
|
|
CHeeKY Just Arrived
Joined: 13 Feb 2003 Posts: 3
|
Posted: Sat Sep 20, 2003 7:08 pm Post subject: |
|
|
Like in all things in life, there is more than one way to view information on what is upon your drive, firstly make sure your pc make isnt hackable.
explore and use tools such as treeview to find hidden files.
you can login via the ftp client as stated and delete files after your analysis has found the location, viewing .ini files of the infected machine etc, will gather these results. from there you can delete
the files
To remove any system files requires regedit and CLSID keys, always backup and depending on your level of expertise and file system, Internet explorer and Network Neighbourhood are different but for most
regedit...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace
There should be a set of keys under namespace, which you identify by the CLSID, remove from namespace and it won't trouble you no more
Please backup registry and if you can backup the drive so no mistakes can be made.
|
|
Back to top |
|
|
Mongrel SF Mod
Joined: 30 May 2002 Posts: 8
|
Posted: Sat Sep 20, 2003 10:50 pm Post subject: |
|
|
get deltree.exe, put it into your system32 folder, shut down ftp service,
go to a command prompt in the container folder of your ftp 'pub' and
deltree it.
I just tried it and it works like a champ.
|
|
Back to top |
|
|
Tom Bair SF Boss
Joined: 10 Aug 2002 Posts: 16776955 Location: Portland, Oregon USA
|
Posted: Sun Sep 21, 2003 11:25 pm Post subject: |
|
|
I've just made this topic a sticky one so it will stay at the top of the listing. It should prove excellent resource material for those who have this particular problem and are researching/searching for a cure to it.
Job well done, dudes!
|
|
Back to top |
|
|
Kasket Just Arrived
Joined: 09 Feb 2004 Posts: 0
|
Posted: Mon Feb 09, 2004 3:34 pm Post subject: |
|
|
very nice information.
|
|
Back to top |
|
|
Darksat Just Arrived
Joined: 09 Sep 2004 Posts: 0 Location: Banned
|
Posted: Thu Sep 09, 2004 4:22 pm Post subject: |
|
|
If your looking to hide files why not just use encrypted magic folders?
|
|
Back to top |
|
|
Arkantos Just Arrived
Joined: 01 Nov 2004 Posts: 0 Location: Kolkata, India
|
Posted: Mon Nov 01, 2004 11:55 pm Post subject: |
|
|
hi, i am new to this place.
is going into the file system by way of dos, deleting the dir a viable solution??
the are plenty of for opening up NTFS/HPFS partitions from DOS6.22
|
|
Back to top |
|
|
ryansutton Trusted SF Member
Joined: 25 Aug 2004 Posts: 67 Location: San Francisco, California
|
Posted: Tue Nov 02, 2004 12:19 am Post subject: |
|
|
Sure if you like typing. Personally I prefer the DOS shell over explorer. Of course the same can be done from the Windows Explorer.
|
|
Back to top |
|
|
E-Mind Just Arrived
Joined: 25 May 2005 Posts: 0 Location: Palo Alto, CA
|
Posted: Wed Jun 15, 2005 7:33 pm Post subject: |
|
|
In the folder tree view just press F2 when you are on the folder and rename it - you would be able to access it again and delete it.
|
|
Back to top |
|
|
isohseis Just Arrived
Joined: 25 Nov 2005 Posts: 0
|
Posted: Fri Nov 25, 2005 7:41 am Post subject: |
|
|
I am a newbie, and I created those folders properly, it worked as you said it would, but I do not know how to access the REAL information inside the folder. Can someone help me?
|
|
Back to top |
|
|
AdamV SF Mod
Joined: 06 Oct 2004 Posts: 24 Location: Leeds, UK
|
Posted: Fri Nov 25, 2005 11:18 am Post subject: |
|
|
like the article said, using another mechanism such as ftp
|
|
Back to top |
|
|
|