Suspicious files

Account Information

Reset password

An email has been sent to you with instructions on how to reset your password.

Back to TechRepublic

Welcome to TechRepublic!

By registering, you agree to the Terms of Use and acknowledge the data practices outlined in the Privacy Policy.

You will also receive a complimentary subscription to TechRepublic's News and Special Offers newsletter and the Top Story of the Day newsletter. You may unsubscribe from these newsletters at any time.

Username must be unique. Password must be a minimum of 6 characters and have any 3 of the 4 items: a number (0 through 9), a special character (such as !, $, #, %), an uppercase character (A through Z) or a lowercase (a through z) character (no spaces).

General discussion

Creator

Topic
August 1, 2003 at 1:45 am #2317072

Suspicious files

Locked

by kevin at alexander group · about 18 years, 10 months ago

On a routine check of a client’s Win2K Server, I found the following files in the root of C:.
superrofl.exe, info.exe, root.exe, shell.exe, and http://ftp.txt. The txt file contained the following text:
open ur momma
bye
get CDIR.txt c:\CDIR.txtI have removed the files from the system (but kept copies). I have found no information on any attack or exploit along these lines. I was interested if anyone had information or suggestions for any other checks I should do.

This conversation is currently closed to new comments.
Creator

Topic

All Comments

Author

Replies
- August 1, 2003 at 2:09 am #2740329
  
  Suspicious files
  
  by blackdiamond · about 18 years, 10 months ago
  
  In reply to Suspicious files
  
  Hey,
  
  Root.exe can be related to the Code Red virus. I would make sure that you do a Virus scan with an AV program that is running the latest scan definitions.
  
  If you are running 2000 with IIS installed make sure that it is updated with the latest Microsoft patches.
  http://tinyurl.com/7p51
  
  Thanx
- August 1, 2003 at 4:18 am #2740293
  
  Suspicious files
  
  by riverfreight · about 18 years, 10 months ago
  
  In reply to Suspicious files
  
  Go to Discussions and read ‘Data transfer & Access.
  
  With that, this: it has been found that a lot of components are used in the supposedly new box; and is it possible that there is an after hours user or someone who lost it in a transfer and it found a home here?
  
  RIVER FREIGHT
- August 2, 2003 at 7:26 am #2741114
  
  Suspicious files
  
  by curacao_dejavu · about 18 years, 9 months ago
  
  In reply to Suspicious files
  
  Here’s the link on how various security tools of ms products.
  
  http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools.asp
  
  Leopold
- August 4, 2003 at 6:55 pm #2740757
  
  Reply To: Suspicious files
  
  by joseph moore · about 18 years, 9 months ago
  
  In reply to Suspicious files
  
  This server has been compromised, from what I have read. I think it is a “rootkit” which is never good.
  The server probably needs to be patched now. I bet it is not on SP3, is it? If not, then it is vulnerable to the IIS Unicode Directory Traversal Exploit that did make CodeRed and Nimda so popular.
  Lock this machine down now! Run anti-virus software on it to detect trojan files. Check out the firewall settings on whatever firewall protects it (if it IS protected by a firewall).
  I think that “superrofl.exe” is a command prompt that allows the directory traversal to happen.
  
  Sorry for the bad news.
Author

Replies

Viewing 3 reply threads

Start or Search

Start New Discussion

Recruiting an Operations Research Analyst with the right combination of technical expertise and experience will require a comprehensive screening process. This Hiring Kit provides an adjustable framework your business can use to find, recruit and ultimately hire the right person for the job.This hiring kit from TechRepublic Premium includes a job description, sample interview questions ...

The digital transformation required by implementing the industrial Internet of Things (IIoT) is a radical change from business as usual. This quick glossary of 30 terms and concepts relating to IIoT will help you get a handle on what IIoT is and what it can do for your business.. From the glossary’s introduction: While the ...

Procuring software packages for an organization is a complicated process that involves more than just technological knowledge. There are financial and support aspects to consider, proof of concepts to evaluate and vendor negotiations to handle. Navigating through the details of an RFP alone can be challenging, so use TechRepublic Premium’s Software Procurement Policy to establish ...

Windows

General discussion