[thelist] failure notice (& CF TIP)
Daniel J. Cody
djc at starkmedia.com
Wed Sep 19 09:47:57 CDT 2001
Hey Steve -
Steve Cook wrote:
> Hi Dan!
>
> If one has that file, does it mean that the server *has* been infected by a
> worm, or is it that the file is a security loophole?
root.exe is a by-product of the code red series, so its presence
suggests that your server *was* infected at one time.
http://www.symantec.com/avcenter/venc/data/codered.v3.html 2/3 of the
way down
http://vil.mcafee.com/dispVirus.asp?virus_k=99177& half way down
> I ask because root.exe is on our Win 2000 server, but as that is sitting
> behind what I consider to be a *very* secure firewall I find it hard to
> believe that anyone has compromised our box.
even the most secure firewalls in front of web servers have to allow
port 80 through, and thats how it spreads :(
everyone can expect more and more of this if 'web services' - that all
flow over port 80, which is typcially open on the firewall - really take
off sadly.
anyways, shout if you have more questions :)
.djc.
More information about the thelist
mailing list