James R. Twine discovered the problem in the most unpleasant way, but the discovery led to a solution, which is now available as shareware or enterprise software.

by Alex Goldman ISP-Planet Associate Editor [November 13, 2003]

Sometimes the toys you tinker with as a kid turn out to be the keys to lucrative employment. That's certainly the case for James R. Twine, who remembers writing "real programs" at 10 years of age (after a period of self-teaching that began at age 8). He wrote in BASIC on a Radio Shack TRS-80 computer, which at the time was state of the art, with several kilobytes of RAM and a chip that ran at a few MHz.

Twine, now 30, has a website and a small software business. He's been a consultant, but recently accepted a desk job at a corporation. No more trips to Taiwan for Twine. With the economy turning up, you'd think this would not be the time to go from consultant to employee—but Twine is looking forward to the change.

Twine contacted us in reference to a Best of the ISP-Lists story, I've Been Tagged. The story describes a method for taking over a piece of a Windows server that is open to the Internet. Hackers create a directory on the drive whose name has characters that confuse the Windows operating system.

If you try to delete the directory or files in the normal manner, the OS will tell you you're trying to delete a file that cannot exist because its file name is illegal. You have to work against the OS to delete the hackers' files.

There are many of these files on the Internet. To get a glimpse of the size of the problem, just do a search for the word "t@gged" with a popular file name (such as "matrix") and you'll find many of them, each one holding movies, video games, and music videos.

The point to remember here is that this illegal traffic can gobble up a lot of bandwidth. If a hacker put these files on your server, you want to get rid of them. Twine has produced a piece of software to make deleting them easier.

He says he became interested in the problem by accident. He was testing an unrelated piece of software on a friend's server. He had the friend open FTP access, and it was tagged in less than a week.

Deleting the files is time consuming and frustrating. Sometimes, after working against the OS to delete the files, you have to reboot it frequently. In any case, Twine says that the process requires using several different methods.

In order to avoid this time consuming process, he wrote software that goes directly into the OS. He calls it Delete FXP Files because the people who tag servers call themselves FXP groups.

A post to an Internet discussion board explains:

fxp = File eXchange Protocol it's sending files from one ftp to the other, because usually it's a lot faster than upping it manual, with your own connection. It can be used also to make a server send files to another server (hint hint).

Twine makes a Shareware version of the software that allows users to delete individual files. But most users who get tagged will want to do more.

Premium features
The premium recursive delete feature allows users to delete entire directories or file trees without having to delete each file individually. If you have to save tagged servers often, you will want this feature because it will save you a great deal of time. On the other hand, if this is your first experience with the problem, it's nice to know you can download a free program to solve the problem.

A feature called "Shell Extension" allows Windows users to right click on a bad file to delete it. Users of WinZip or of any of several popular anti-virus products will be familar with this feature.

The enterprise edition features a whitelist and blacklist. Twine says, "if someone keeps adding a directory with the name 'johnbaptist' you can blacklist it, telling the software show that directory automatically as suspect. On the other hand, if you have a legitimate directory with a name that keeps showing up as suspect, you can whitelist it so that directory stop appearing in searches for tagged files."

The software ships with a blacklist of known taggers, and Twine is also building a list of frequently used file names in tagged directories. For example, Serv-U is the name of a popular file server often used by the FXP crowd, and the software will flag any directory or file with that name.

Pricing and availability
The Enterprise Edition, for an unlimited number of copies on a single physical site (i.e., your data center, but not the home and business computers of all of your customers) costs $2,500. It includes all of the features mentioned in this article. The Shareware Edition is free, the Personal Edition costs $35, the Professional Edition costs $200, and the Server Edition costs $300. They have some but not all of the features of the Enterprise Edition. For details, see the website.

The product is available now and can be downloaded immediately or purchased on a CD which is mailed to you.

—End