Hacker News new | past | comments | ask | show | jobs | submit login

Back in the good old days of the early(er) internet, back when you could do a port search on 21 to find random machines with anonymous FTP access, a lot of the machines you'd find were inevitably Windows machines.

A 'trick' used by the file-sharing community in order to hide their files on these anonymous FTP servers was to create some nested directories with these kind of keywords. The FTP server allowed you to create the directories as well as access them (if you knew the full path) but on Windows they would just cause errors or crashes if someone tried to access them. Combine that with the ability of creating directories with just spaces as names and you could hide quite a bit of stuff from the unsuspecting FTP server administrator.




In my high school’s Windows For Workgroups 3.11 lab, we used to hide local installs of Doom, Descent, and other DOS games under a folder named the character Alt+255 (which looks like a space in DOS and was invisible to Windows Explorer).

The lab admin had disabled Ctrl+C and Ctrl+Break to keep folks from breaking out of the DOS-based login prompt to a C:\ prompt, but I somehow figured out that Alt+3 passed an equivalent character and had the same effect.

I once got yelled at for being “in the lab too much” by one of the teachers, but I never got in any trouble. I suspect the lab admin (a kind older programming and math teacher) knew what we were up to.


In the early 90s in middleschool (6-8th grade) we had access to a macintosh lab - the original macs - and they were all networked and relatively locked down. What they didn't do however, was lock down access to shared network drives. In the lab we had a limited number of games on 3.5" floppy disks and if you didn't get there early enough, no games for you. In one of the classes held in the lab we were instructed as to how to save our work to the network instead of a floppy. This was in the heyday of Hypercard and so that's what was usually stored by students on network drives. When my father showed me how to copy data from a disk to a drive at home, I connected the dots. I went into the lab after school one day and copied all of the games I liked playing, somewhere in the neighborhood of 50, from disk to the network. At 13 years old, I thought I was slick. No more waiting for games. I enjoyed this advantage for about a week, until I was called into the Principal's office and had a talking to by the network admin and the lab teacher. I had absolutely no concept of storage size, and at ~60mb I had taken up a considerable amount of storage on the network at the time.


Did something similar in the late 90’s / early aughts.

Figured out the default password scheme for teachers.

Found several teacher accounts that didn’t change their default password.

Teacher accounts could write to network drives when students couldn’t.

Put games like it, quake 2 and c&c ra2 on the network.

Lasted about six months.

A student I had confided in ratted me out.

I was no longer permitted to touch another school computer.

I failed every class that required me to use a school computer.

Despite the fact I brought my own laptop to school, they wouldn’t let me use it.

Formal education and I never got along after that.


That's ridiculous, maybe I'm over-involved with my kids but I'd think your parents would go to bat for you in that one. The school making you fail other classes over that is unacceptable


There's a reason why "The Mentor"'s Hacker Manifesto has disdain for schools. I've had similar things happen at high school. Still, anecdote.

Unless your parents can and will sue, the public schools (SPIT) will do as they choose.


They tried. I wasn't exactly a stellar student anyway. We switched me to another school district to finish out high school.

I'm convinced that I would have had a more useful education if I had dropped out, moved to Silicon Valley, and lived out of a van working for minimum wage at a startup than if I had finished high school.


I had a similar ban from using my high school's computing equipment for an even tamer reason - sending messages to my friend in the same classroom using "net_send", which the school claimed DDOS'd their network and blew it out of proportion like I was some hardcore out of control hacker.


I was given 20 hours of "community service" (school punishment, total joke) in middle school after discovering the messaging feature in Novell (the admin didn't disable it).

For a couple weeks the school was absolutely convinced my friend and I were responsible for taking a few computer labs in the district offline and claimed we created a virus.


I suspect we both had the same frustrating conversation with our head teacher :-)


I was suspended for three days in a separate incident at another school system I started going to the following year for using Winpopup to send messages.


We had a mac lab in late 90s/early 2000s and they didn't lock down shared network drives either. A friend and I discovered this one day and we were looking around on the network and found that we could access teacher's gradebooks lol. We also weren't allowed to install games, but found a way around that by scheduling a task to run the installer a minute in the future.


I had a similar experience but amongst other things I got everyone's passwords and figured out how to bypass / control this weird bookshelf launcher whose name escapes me now. The head computer teacher found out but didn't make a big deal about it. Instead, me and a friend ended up getting hired by the school for our last year and got an office with a coffee machine since we were easier to deal with than the school boards IT.


I wonder if you're talking about the launcher for managed classic Mac workgroups, At Ease. I have an almost identical experience to you, including the coffee machine (though more of a closet than an office).


All it took to get around At Ease was to hit the interrupt or programmers key (which on newer Macs was cmd + the power button on the keyboard). That brought up the micro debugger, and you just had to type "G FINDER" and it'd dump you right out to the Finder.

Eventually our folks replaced At Ease with some other app, (Cyber something, control something? no idea) but they setup a hotkey to disable it which was nothing less than shift + K. That didn't last long at all, with Karla, Kyle, Keith, and Katie getting incredibly frustrated just trying to type their name.


I remember on Deep Freeze for Windows, I was able to find the password in plaintext by searching win386.swp for the deepfreeze copyright string.


I had that as well. it was some IBM product.. we figured out that open file dialogs on well, everything still let you start windows explorer. From there you could get a dos prompt and do stuff.

It was used for broodwar mostly, this was around 1998


Yup it was IBM something and the same era.


Was this IBM School Vista by any chance? The login screen was a school entrance with yellow buses, the main screen was a student desk in a classroom, and the application launcher was a bookshelf in the classroom. One of my friends and I also had a fun time finding ways to break out of the locked-down shell into Windows Explorer -- as well as making interactive parodies of the classroom UI using PowerPoint and HyperStudio.


My friends & I used to play Netrek in the Mac lab, which was against the rules. When the lab assistant would walk into the lab, we'd all hit the reboot button. Hearing ~10 simultaneous ding noises was pretty hilarious. He knew what we were doing, but never caught us in the act, and I suspect he found it more amusing than not.


Around my branch of the University of California it was Marathon. When the lab got Power Mac 7100s, it was full at all hours with people playing, which made it impossible to get any actual coursework done.


He knew what you was doing, he was just letting you have some fun. If you work in IT now, he probably helped push you in the right direction.


You could also put ANSI codes in filenames, to set black text on black background for fun.


Back around the turn of the millennium, this was a great way of getting the latest releases of all sorts of warez groups. Put a machine on a public network somewhere, install ftp server, 'forget' to disable anon access to /pub, watch crappy cams of the matrix in your dorm room before anyone else. And if anyone came knocking about the bandwidth use - duh silly me, those hackers had me fooled again...

The only thing was that you had to access your own machines with an ftp client because of path tricks like this. (Or get a Linux box, and cross your fingers nobody would find yet another wuftpd buffer overflow)


> cross your fingers nobody would find yet another wuftpd buffer overflow

wuftp was responsible for the popularization of format-string attacks, which were magical at the time.

We all knew about buffer-overflows, and when it was explained format-string attacks were obvious, but it was the first time I'd seen a genuinely new class of software attacks.

Happy memories!


Currently, there are ~700,000 FTP servers that allow anonymous access and around 12% of them are running Microsoft FTP:

https://www.shodan.io/report/oZpN8rpp


And the rest are Linux boxes.


Do they allow write access, though?


I also remember people hacking IIS, SQL Server, WebDAV or exploiting one of the hundreds of RPC/DCOM/LSASS vulnerabilities in Windows, the servers were then used to start private FTP servers used to sharing warez. At least that was something the FXP community did, the FTP servers were then filled very quickly from other FTP servers (hence the name FXP, File eXchange Protocol). Thinking back to it, it was quite astonishing how horrific Windows security was, to think that people (to this day even) are seriously considering Windows a viable server operating system still makes me laugh.


Windows security has improved a lot in the last ten years.


> exploiting one of the hundreds of RPC/DCOM/LSASS vulnerabilities in Windows

And then Microsoft got tired of it, and (IIRC starting with Windows XP SP2) locked it down. Now if you have a legitimate need to use DCOM (for instance, OPC-DA), you have to jump through a series of hoops.


OPC-DA is the worst. Fortunately at least a few vendors are pushing OPC-UA (no DCOM!), but the whole industry moves like molasses.


I recently discovered the wild world of OPC and its variants and the huge community of paid middleware around it. Sure goes deep. Wrote something to pull OPC stuff into InfluxDB and then moved on with my life not having to worry about... or remember how DCOM works again. Hopefully...!


I'd forgotten all about interop with DCOM until just now! Several years ago (when I last had to do it) I recall having to horribly mess with services on my local machine just to get anything to appear to work...let alone actually knowing if it did what I wanted (consistently) and then how to get that to work at a customer site (we were told to document it and throw it over the wall to support...)


See chapter 4 of this PDF for an idea of the amount of settings you need to change to make it work: https://www.kepware.com/getattachment/04042e47-c690-467c-a93...


It all seems like a fuzzy memory now. My exposure to warez started with BBS then migrated to IRC/FTP. As a teenager during this time I remember how many enterprise networks were easily compromised. Seeing this from the outside, I just figured that security wasn’t important to them — or they didn’t know how to manage their security.

I wonder if that was really the case in the early internet at an enterprise level. Did security take a backseat to functionality?


From first hand experience, it still does.


How did the Windows ftp create the files with protected names?

Shouldn't it have crashed, like the blue screen-causing <img src="C:/con/con">


As far as I know you can bypass that with a \\?\ prefix in the path. This tells the API that your path is a full NT file path, similarly the devices are mapped into \\.\ . Of course many tools on windows were not aware of that, so anyone trying to delete "C:/con/con" would run into the issue that they needed a tool which would delete "\\?\C:\con\con" instead.


To be honest, I don't know. This is nearly 20 years ago now.

I assume the FTP server created the directories using a different file-system API call than Windows Explorer.

Here's a post by someone who found one of these directory structures on his FTP server back in 2003: http://www.informit.com/articles/article.aspx?p=31278


My guess is that there's 2 APIs to access files, a user mode API and a kernel mode API, and this special casing is only available in the user mode one. If the FTP server uses the kernel API it bypasses the special case file handling.


The guy forgot to try to log into the ftp server itself to delete the files. After all, if the ftpd program used the correct APIs to create the directories and files, it would probably also use the right ones to delete them.


Judging by how the article was written, that probably wouldn't have helped him. You couldn't delete these directories directly, but rather had to delete the nested "unnamed" directory: “/path/to/COM1/ /“, which is also how you would create the directories in the first place. Usually, the tag-directory would also go along with a list of directories explaining that you should not create "undeletable" directories on NT-based servers, as that would annoy the admin and might cause them to remove anonymous access. You were only supposed to create large mazes of directories to prevent other random anonymous users from finding and deleting your files.


There has always been a discrepancy in capability between win32 file-related APIs and GUI tools. Even in Windows 10, it is possible to use the APIs (as simply as through, say, git bash) to create files and directories inaccessible (even for deletion) to Explorer.


Since the special filenames were handled at the OS level, any crash would have required the OS to mount the FTP directories. I don't think Windows' FTP program ever mounted anything, meaning the directories were handled by the program and not by the OS. When you copied anything to your local Windows machine, the file would automatically be copied to a directory with a safe name rather than mimicking the directory hierarchy from the remote server.


>>Back in the good old days of the early(er) internet, back when you could do a port search on 21 to find random machines with anonymous FTP access

Man, I remember doing this to find video game executables. Good times.


Memories of fxp


Ironically, I downloaded my first copy of Windows 95 from one of these FTP sites.


This was a common exploit during the hey day of the FXP scene.


Nowadays you can do the same with random S3 buckets of various companies (:




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: