General discussion


Suspicious files

By Kevin at Alexander Group ·
On a routine check of a client's Win2K Server, I found the following files in the root of C:.
superrofl.exe, info.exe, root.exe, shell.exe, and ftp.txt. The txt file contained the following text:
open ur momma
get CDIR.txt c:\CDIR.txtI have removed the files from the system (but kept copies). I have found no information on any attack or exploit along these lines. I was interested if anyone had information or suggestions for any other checks I should do.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Suspicious files

by BlackDiamond In reply to Suspicious files


Root.exe can be related to the Code Red virus. I would make sure that you do a Virus scan with an AV program that is running the latest scan definitions.

If you are running 2000 with IIS installed make sure that it is updated with the latest Microsoft patches.


Collapse -

Suspicious files

by RiverFreight In reply to Suspicious files

Go to Discussions and read 'Data transfer & Access.

With that, this: it has been found that a lot of components are used in the supposedly new box; and is it possible that there is an after hours user or someone who lost it in a transfer and it found a home here?


Collapse -

Suspicious files

by Curacao_Dejavu In reply to Suspicious files
Collapse -

by Joseph Moore In reply to Suspicious files

This server has been compromised, from what I have read. I think it is a "rootkit" which is never good.
The server probably needs to be patched now. I bet it is not on SP3, is it? If not, then it is vulnerable to the IIS Unicode Directory Traversal Exploit that did make CodeRed and Nimda so popular.
Lock this machine down now! Run anti-virus software on it to detect trojan files. Check out the firewall settings on whatever firewall protects it (if it IS protected by a firewall).
I think that "superrofl.exe" is a command prompt that allows the directory traversal to happen.

Sorry for the bad news.

Related Discussions

Related Forums