That would be why I told him to look for the ROOT.EXE file. If he has it, he's infected. If not, he isn't.
Add up the number of security bulletins for IIS under Windows for any period of a month or more, and compare that to the number of bulletins in the same period for Apache under OpenBSD. To their credit, MS has actually decided to respond to security bulletins lately. Too bad they didn't start doing that years ago. Didn't we cover the infected vs not infected issue yesterday? Mike Burden Lynk Systems http://www.lynk.com (616)532-4985 [EMAIL PROTECTED] > -----Original Message----- > From: Chris Green [mailto:[EMAIL PROTECTED]] > Sent: Friday, January 18, 2002 8:33 AM > To: Mike Burden; [EMAIL PROTECTED] > Subject: RE: [gb-users] Not Gnatbox but security related > > > Just because those are in the log does not mean it is > infected. And I would never tell a customer to switch to > another product for the reasons you have stated. EVERY > platform has MAJOR security flaws. No server that I have > ever managed has been infected by any of these worms or exploits. > > Chris Green > > > -----Original Message----- > From: Mike Burden [mailto:[EMAIL PROTECTED]] > Sent: Thu 1/17/2002 10:17 AM > To: [EMAIL PROTECTED] > Cc: > Subject: RE: [gb-users] Not Gnatbox but security related > > > > Looks like either a hack attempt or one of the > "worms" that propogate through IIS vulnerabilities. > > Use "Find Files" to look for "root.exe" on your > server. If you find it, you've been hacked or > infected. > > Best option: > Move to a webserver that doesn't have quite so > many security flaws > > If you HAVE to stick with IIS: > - Reformat the machine, reload the OS > - Upgrade IIS to version 5 or later > - Apply the latest cumulative patch and any > patches after it from: > > http://www.microsoft.com/technet/treeview/default.asp?url=/tec > hnet/secur > ity/current.asp?productid=17&servicepackid=0&submit1=go > - Follow Microsoft's checklist for IIS 5: > > http://www.microsoft.com/technet/treeview/default.asp?url=/Tec > hNet/prodt > echnol/iis/tips/iis5chk.asp > (click on "IIS 5 Security Considerations" at the top > of the right side pane) > > > Mike Burden > Lynk Systems > http://www.lynk.com > (616)532-4985 > [EMAIL PROTECTED] > > > > > -----Original Message----- > > From: Marc Suxdorf [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, January 17, 2002 11:09 AM > > To: [EMAIL PROTECTED] > > Subject: [gb-users] Not Gnatbox but security related > > > > > > Hi everyone > > > > I have to administer our small company network in my > spare time which > > hopefully explains my little security knowledge... > > I have just come across a scary entry in our Windows 2000 > > Server Internet > > Information Services 5.0 log: > > > > 2002-01-17 10:52:31 62.161.107.167 - 10.10.1.1 80 GET > > /scripts/root.exe > > /c+dir 403 www - > > 2002-01-17 10:52:46 62.161.107.167 - 10.10.1.1 80 GET > > /MSADC/root.exe /c+dir > > 403 www - > > 2002-01-17 10:52:54 62.161.107.167 - 10.10.1.1 80 GET > > /c/winnt/system32/cmd.exe /c+dir 403 www - > > 2002-01-17 10:53:03 62.161.107.167 - 10.10.1.1 80 GET > > /d/winnt/system32/cmd.exe /c+dir 403 www - > > 2002-01-17 10:53:18 62.161.107.167 - 10.10.1.1 80 GET > > /scripts/..%5c../winnt/system32/cmd.exe /c+dir 403 www - > > > > Is someone currently executing terrible things on our server? > > > > I would be very greatfull for any quick help and/or > explanation! > > > > Thanks a lot and best wishes to everyone > > > > Marc > > > > Suxdorf Studios f�r Design > > Milchstrasse 6b > > D-20148 Hamburg > > Tel +49 (40) 41345-100 > > Fax +49 (40) 41345-101 > > Email [EMAIL PROTECTED] > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > To subscribe to the digest version first unsubscribe, then > > e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > To subscribe to the digest version first unsubscribe, then > e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > >
