| Author |
 Topic  |
|
|
Jeepaholic
Average Member
USA
697 Posts |
|
|
Jeepaholic
Average Member
USA
697 Posts |
 Posted - 19 July 2001 : 20:00:51
|
Two things to look for:
* Search the CONTENT of your web roots for "www.worm.com" or some other content that's shown in the link above.
* Search your hard drives for a file called "root.exe" (will probably show up in your InetPub directory)
If you have either of them, you've got it. Our team is working on a procedure to remove it. I'll keep y'all posted as to what they come up with.
Al Bsharah
Jeepaholics Anonymous
Edited by - Jeepaholic on 19 July 2001 20:03:28 |
 |
|
|
@tomic
Senior Member
USA
1790 Posts |
Posted - 19 July 2001 : 20:31:53
|
This explains why all those ida requests were coming in on my server since yesterday. At the time I checked it out and was greatly relieved to see that it had been taken care of.
However my site and the site of my webhost have been unreachable all day 
@tomic
Edited by - @tomic on 19 July 2001 20:40:05 |
|
|
|
MikeBernardo
Starting Member
Canada
33 Posts |
Posted - 19 July 2001 : 22:46:30
|
I found "root.exe" in my C:\InetPub\scripts folder. WHAT DO I DO? Does this explain why inetinfo.exe mysteriously dies? I started noticing this today.
quote:
Two things to look for:
* Search the CONTENT of your web roots for "www.worm.com" or some other content that's shown in the link above.
* Search your hard drives for a file called "root.exe" (will probably show up in your InetPub directory)
If you have either of them, you've got it. Our team is working on a procedure to remove it. I'll keep y'all posted as to what they come up with.
Al Bsharah
Jeepaholics Anonymous
Edited by - Jeepaholic on 19 July 2001 20:03:28
|
|
|
|
sr_erick
Senior Member
USA
1318 Posts |
Posted - 20 July 2001 : 01:24:56
|
That sounds like the same guys that hacked MSN!
__________________________________
Snowmobile Fanatics
|
|
|
|
KXS
New Member
Canada
66 Posts |
Posted - 20 July 2001 : 03:08:13
|
Same here, I just found the root.exe in the inetpub\scripts, I also noticed that my sites would all of a sudden die for no particular reason....
Has anyone seen seen the index files being changed to: :**** usa govenment, **** PoizenBOX" ? This dude has hacked my site many times, mind you I din't have my firewall up when he did get in...
I will check this place and the web for more info, please keep me posted...
------------------
"keeping it real"
Edited by - KXS on 20 July 2001 03:40:34 |
|
|
|
KXS
New Member
Canada
66 Posts |
Posted - 20 July 2001 : 03:34:36
|
Here is one solution I found searching google:
http://groups.google.com/groups?=.worm.com root.exe fix&hl=en&safe=off&rnum=1&selm=tlel26joibrme0%40corp.supernews.com
Edited by - KXS on 20 July 2001 03:40:00 |
|
|
|
Bookie
Average Member
USA
856 Posts |
Posted - 20 July 2001 : 09:18:41
|
Would this explain why IIS keeps stopping? I guess I'll have to go into work today. I was supposed to be home for a vacation day today.  I guess my 3 year old son will be introduced to our server room!
Bookie
"May the forces of evil become confused on the way to your home."
- George Carlin |
|
|
|
MikeBernardo
Starting Member
Canada
33 Posts |
Posted - 20 July 2001 : 09:40:32
|
I went to this URL http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp and installed the patch. But it did not delete root.exe and the other files in the /scripts folder (shell.exe, index.asp, default.asp, Upload.asp, etc.). I disabled my Index Server (I don't use it anyway), and plan on removing idq and ida extensions mapping. It looks like my site is still okay. I removed everything from the /scripts folder, and also moved the /scripts folder location, leaving the old one with no virtual path.
Regards,
Michael Bernardo
http://www.filipino.ca
|
|
|
|
Doug G
Support Moderator
USA
6493 Posts |
Posted - 20 July 2001 : 10:16:47
|
quote:
Has anyone seen seen the index files being changed to: :**** usa govenment, **** PoizenBOX" ? This dude has hacked my site many times, mind you I din't have my firewall up when he did get in...
I think this is the "sadmind" attack.
For myself, I use windows update to get patches. On NT and 2K Pro, the critical updates from windows update installed MS-033 for me and another W2K post SP2 hotfix yesterday.
======
Doug G
====== |
|
|
|
Id
Junior Member
USA
129 Posts |
Posted - 20 July 2001 : 12:12:39
|
I got hit with this about 2 months ago, i deleted all traces of the file, and haven't seen it pop up again. It popped up in all the roots of my system, including my root c drive, my IIS roots, and my winnt/system root, so these files show up everywhere.
|
|
|
|
Jeepaholic
Average Member
USA
697 Posts |
Posted - 20 July 2001 : 12:13:27
|
Download Service Pack 2.
Download all the hotfixes (post SP2).
Unplug your server from the network.
Delete the file.
Remove it from your Recycle Bin.
Apply Service Pack 2.
Apply all hotfixes (will probably have to reboot after each).
That should do it...I will have more information later, but that's all I know right now.
Al Bsharah
Jeepaholics Anonymous |
|
|
|
KXS
New Member
Canada
66 Posts |
|
|
Id
Junior Member
USA
129 Posts |
|
| |
Topic |
|
Topic Locked
