If you didn't find ROOT.EXE on your system, then it's likely that the logfile activity you saw is from an unsuccessful hack/infection attempt.
If you've got a Linux system on your network, you might want to download and install SARA from www-arc.com (Note that there is a "-" between the "www" and "arc", not a "."!) You can use this program to scan your webserver to make sure that that most of the well known problems are patched. It's not 100%, but it's a lot better than nothing! There are also similar programs available that run on other Operating Systems, but I have less experience with them. Mike Burden Lynk Systems http://www.lynk.com (616)532-4985 [EMAIL PROTECTED] > -----Original Message----- > From: Marc Suxdorf [mailto:[EMAIL PROTECTED]] > Sent: Thursday, January 17, 2002 11:41 AM > To: Mike Burden; [EMAIL PROTECTED] > Subject: AW: [gb-users] Not Gnatbox but security related > > > Mike and everyone else: Thanks a lot for the quick replies! > > This is really worrying! > I couldn't find root.exe on any of our machines, but what > about the attempts > to run cmd.exe on our server? > > We have IIS 5 with the latest patches. > > Thanks for any comforting.... > > Marc > > Suxdorf Studios f�r Design > Milchstrasse 6b > D-20148 Hamburg > Tel +49 (40) 41345-100 > Fax +49 (40) 41345-101 > Email [EMAIL PROTECTED] > > -----Urspr�ngliche Nachricht----- > Von: Mike Burden [mailto:[EMAIL PROTECTED]] > Gesendet: Donnerstag, 17. Januar 2002 17:18 > An: [EMAIL PROTECTED] > Betreff: RE: [gb-users] Not Gnatbox but security related > > Looks like either a hack attempt or one of the > "worms" that propogate through IIS vulnerabilities. > > Use "Find Files" to look for "root.exe" on your > server. If you find it, you've been hacked or > infected. > > Best option: > Move to a webserver that doesn't have quite so > many security flaws > > If you HAVE to stick with IIS: > - Reformat the machine, reload the OS > - Upgrade IIS to version 5 or later > - Apply the latest cumulative patch and any > patches after it from: > http://www.microsoft.com/technet/treeview/default.asp?url=/tec > hnet/secur > ity/current.asp?productid=17&servicepackid=0&submit1=go > - Follow Microsoft's checklist for IIS 5: > http://www.microsoft.com/technet/treeview/default.asp?url=/Tec > hNet/prodt > echnol/iis/tips/iis5chk.asp > (click on "IIS 5 Security Considerations" at the top > of the right side pane) > > > Mike Burden > Lynk Systems > http://www.lynk.com > (616)532-4985 > [EMAIL PROTECTED] > > > > > -----Original Message----- > > From: Marc Suxdorf [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, January 17, 2002 11:09 AM > > To: [EMAIL PROTECTED] > > Subject: [gb-users] Not Gnatbox but security related > > > > > > Hi everyone > > > > I have to administer our small company network in my spare > time which > > hopefully explains my little security knowledge... > > I have just come across a scary entry in our Windows 2000 > > Server Internet > > Information Services 5.0 log: > > > > 2002-01-17 10:52:31 62.161.107.167 - 10.10.1.1 80 GET > > /scripts/root.exe > > /c+dir 403 www - > > 2002-01-17 10:52:46 62.161.107.167 - 10.10.1.1 80 GET > > /MSADC/root.exe /c+dir > > 403 www - > > 2002-01-17 10:52:54 62.161.107.167 - 10.10.1.1 80 GET > > /c/winnt/system32/cmd.exe /c+dir 403 www - > > 2002-01-17 10:53:03 62.161.107.167 - 10.10.1.1 80 GET > > /d/winnt/system32/cmd.exe /c+dir 403 www - > > 2002-01-17 10:53:18 62.161.107.167 - 10.10.1.1 80 GET > > /scripts/..%5c../winnt/system32/cmd.exe /c+dir 403 www - > > > > Is someone currently executing terrible things on our server? > > > > I would be very greatfull for any quick help and/or explanation! > > > > Thanks a lot and best wishes to everyone > > > > Marc > > > > Suxdorf Studios f�r Design > > Milchstrasse 6b > > D-20148 Hamburg > > Tel +49 (40) 41345-100 > > Fax +49 (40) 41345-101 > > Email [EMAIL PROTECTED] > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > To subscribe to the digest version first unsubscribe, then > > e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > To subscribe to the digest version first unsubscribe, then > e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > >
