General discussion

Locked

Suspicious files

By Kevin at Alexander Group ·
On a routine check of a client's Win2K Server, I found the following files in the root of C:.
superrofl.exe, info.exe, root.exe, shell.exe, and ftp.txt. The txt file contained the following text:
open ur momma
bye
get CDIR.txt c:\CDIR.txtI have removed the files from the system (but kept copies). I have found no information on any attack or exploit along these lines. I was interested if anyone had information or suggestions for any other checks I should do.

This conversation is currently closed to new comments.

4 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Suspicious files

by BlackDiamond In reply to Suspicious files

Hey,

Root.exe can be related to the Code Red virus. I would make sure that you do a Virus scan with an AV program that is running the latest scan definitions.

If you are running 2000 with IIS installed make sure that it is updated with the latest Microsoft patches.
http://tinyurl.com/7p51

Thanx

Collapse -

Suspicious files

by RiverFreight In reply to Suspicious files

Go to Discussions and read 'Data transfer & Access.

With that, this: it has been found that a lot of components are used in the supposedly new box; and is it possible that there is an after hours user or someone who lost it in a transfer and it found a home here?

RIVER FREIGHT

Collapse -

Suspicious files

by Curacao_Dejavu In reply to Suspicious files

Here's the link on how various security tools of ms products.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools.asp

Leopold

Collapse -

by Joseph Moore In reply to Suspicious files

This server has been compromised, from what I have read. I think it is a "rootkit" which is never good.
The server probably needs to be patched now. I bet it is not on SP3, is it? If not, then it is vulnerable to the IIS Unicode Directory Traversal Exploit that did make CodeRed and Nimda so popular.
Lock this machine down now! Run anti-virus software on it to detect trojan files. Check out the firewall settings on whatever firewall protects it (if it IS protected by a firewall).
I think that "superrofl.exe" is a command prompt that allows the directory traversal to happen.

Sorry for the bad news.

Back to Windows Forum
4 total posts (Page 1 of 1)  

Related Discussions

Related Forums