Hi all,
check your IIS-logfiles, if the requests didn`t got a response --> http-404, you don`t
have to worry.
best practice --> http://www.analog.cx/
-----Ursprüngliche Nachricht-----
Von: Marc Suxdorf [mailto:[EMAIL PROTECTED]]
Gesendet: Do 17.01.2002 17:40
An: 'Mike Burden'; [EMAIL PROTECTED]
Cc:
Betreff: AW: [gb-users] Not Gnatbox but security related
Mike and everyone else: Thanks a lot for the quick replies!
This is really worrying!
I couldn't find root.exe on any of our machines, but what about the attempts
to run cmd.exe on our server?
We have IIS 5 with the latest patches.
Thanks for any comforting....
Marc
Suxdorf Studios für Design
Milchstrasse 6b
D-20148 Hamburg
Tel +49 (40) 41345-100
Fax +49 (40) 41345-101
Email [EMAIL PROTECTED]
-----Ursprüngliche Nachricht-----
Von: Mike Burden [mailto:[EMAIL PROTECTED]]
Gesendet: Donnerstag, 17. Januar 2002 17:18
An: [EMAIL PROTECTED]
Betreff: RE: [gb-users] Not Gnatbox but security related
Looks like either a hack attempt or one of the
"worms" that propogate through IIS vulnerabilities.
Use "Find Files" to look for "root.exe" on your
server. If you find it, you've been hacked or
infected.
Best option:
Move to a webserver that doesn't have quite so
many security flaws
If you HAVE to stick with IIS:
- Reformat the machine, reload the OS
- Upgrade IIS to version 5 or later
- Apply the latest cumulative patch and any
patches after it from:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity/current.asp?productid=17&servicepackid=0&submit1=go
- Follow Microsoft's checklist for IIS 5:
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodt
echnol/iis/tips/iis5chk.asp
(click on "IIS 5 Security Considerations" at the top
of the right side pane)
Mike Burden
Lynk Systems
http://www.lynk.com
(616)532-4985
[EMAIL PROTECTED]
> -----Original Message-----
> From: Marc Suxdorf [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, January 17, 2002 11:09 AM
> To: [EMAIL PROTECTED]
> Subject: [gb-users] Not Gnatbox but security related
>
>
> Hi everyone
>
> I have to administer our small company network in my spare time which
> hopefully explains my little security knowledge...
> I have just come across a scary entry in our Windows 2000
> Server Internet
> Information Services 5.0 log:
>
> 2002-01-17 10:52:31 62.161.107.167 - 10.10.1.1 80 GET
> /scripts/root.exe
> /c+dir 403 www -
> 2002-01-17 10:52:46 62.161.107.167 - 10.10.1.1 80 GET
> /MSADC/root.exe /c+dir
> 403 www -
> 2002-01-17 10:52:54 62.161.107.167 - 10.10.1.1 80 GET
> /c/winnt/system32/cmd.exe /c+dir 403 www -
> 2002-01-17 10:53:03 62.161.107.167 - 10.10.1.1 80 GET
> /d/winnt/system32/cmd.exe /c+dir 403 www -
> 2002-01-17 10:53:18 62.161.107.167 - 10.10.1.1 80 GET
> /scripts/..%5c../winnt/system32/cmd.exe /c+dir 403 www -
>
> Is someone currently executing terrible things on our server?
>
> I would be very greatfull for any quick help and/or explanation!
>
> Thanks a lot and best wishes to everyone
>
> Marc
>
> Suxdorf Studios für Design
> Milchstrasse 6b
> D-20148 Hamburg
> Tel +49 (40) 41345-100
> Fax +49 (40) 41345-101
> Email [EMAIL PROTECTED]
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> To subscribe to the digest version first unsubscribe, then
> e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
To subscribe to the digest version first unsubscribe, then
e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
To subscribe to the digest version first unsubscribe, then
e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
