[thelist] failure notice (& CF TIP)

[Daniel J. Cody]

Hey Steve -

Steve Cook wrote:

> Hi Dan!
> 
> If one has that file, does it mean that the server *has* been infected by a
> worm, or is it that the file is a security loophole?


root.exe is a by-product of the code red series, so its presence 
suggests that your server *was* infected at one time.

http://www.symantec.com/avcenter/venc/data/codered.v3.html 2/3 of the 
way down

http://vil.mcafee.com/dispVirus.asp?virus_k=99177& half way down

 
> I ask because root.exe is on our Win 2000 server, but as that is sitting
> behind what I consider to be a *very* secure firewall I find it hard to
> believe that anyone has compromised our box.


even the most secure firewalls in front of web servers have to allow 
port 80 through, and thats how it spreads :(

everyone can expect more and more of this if 'web services' - that all 
flow over port 80, which is typcially open on the firewall - really take 
off sadly.

anyways, shout if you have more questions :)

.djc.