Jeff, > how did the cmd file get there in the first place, and > how was it executed?
Did you happen to check your IIS logs? I've looked again, and there isn't anyplace in your post where you mention doing this? It's kind of late now, but if I were you, I would have preserved the MAC times on the CMD file, and then compared that to the IIS logs of about the same date. > b) i think that the iis priv escalation vuln is what > allows the iiscrack.dll/httpodbc.dll backdoor to do > its stuff (control the pc) but is that vuln also the > hole that allowed the hacker to get that cmd file on > there, which in turn started the ftp session? I am > definitely missing something here! Maybe just your IIS logs. Regarding your anti-virus question...who knows? You really haven't provided complete information in your post, and any answers you receive will most likely be speculation. I'd suggest to you that some training might be appropriate: http://www.megamind.org/TRAIN/forwin2000.html If the dates and locations of the listed training aren't convenient, let me know. HTH __________________________________________________ Do you Yahoo!? U2 on LAUNCH - Exclusive greatest hits videos http://launch.yahoo.com/u2
