[thelist] failure notice (& CF TIP)

Wed Sep 19 10:17:53 CDT 2001

As a little note..removing root.exe is possibly not sufficient.

As root.exe allows people access to your system you will also need to 
have a good poke around and ensure that nothing has been added/changed.
(in an ideal world you would rebuild from safe backups, apply patches
and then reconnect)

Things hackers may do include
1.) Add additional backdoors/trojans.
2.) set registry keys to run code when the computer boots-starting a
rogue service or something.
3.) add users/ elevate users privalages.

I have no idea how one goes around convining yourself that it's all
safe.

Sorry to be such a dampner, but a false sense of security is very
dangerous.

John Best

ps....I read a book and it scared me.

> 
> Hi Dan!
> 
> If one has that file, does it mean that the server *has* been 
> infected by a
> worm, or is it that the file is a security loophole?
> 
> I ask because root.exe is on our Win 2000 server, but as that 
> is sitting
> behind what I consider to be a *very* secure firewall I find 
> it hard to
> believe that anyone has compromised our box.
> 
> Having found the file, is there anything else in particular I 
> should be
> looking for?
> 
> .steve
> 
> 
> ----------------------------------
>    WapWarp - http://wapwarp.com
>  Wap-Dev - http://www.wap-dev.net
>  Cookstour - http://cookstour.org
> ----------------------------------
> 
> > -----Original Message-----
> > From: Daniel J. Cody [mailto:djc at starkmedia.com]
> > Sent: den 19 september 2001 16:06
> > To: thelist at lists.evolt.org
> > Subject: Re: [thelist] failure notice (& CF TIP)
> > 
> > 
> > One more tip while people are tossing them about about virii 
> > and windows..
> > 
> > Search your IIS server for a file called root.exe and delete 
> > it - if you 
> > have it you've been compromised. *NO* patches from MS delete 
> > this file.
> > 
> 
> 
> ---------------------------------------
> For unsubscribe and other options, including
> the Tip Harvester and archive of TheList go to:
> http://lists.evolt.org Workers of the Web, evolt ! 
> 
> --------------------------------------------------------
> 
> The contents of this e-mail are confidential to the ordinary 
> user of the e-mail address to which it was addressed, or in 
> the case of an incorrectly addressed e-mail message, the 
> intended recipient. No-one else may copy, use, disseminate or 
> forward all or any part of it in any form.
> 
> Although this email, including any attachments, is believed 
> to be free of any virus, or other defect which might affect 
> any computer or IT system into which it is received and 
> opened, it is the responsibility of the recipient to ensure 
> that it is virus free, and no responsibility is accepted for 
> any loss or damage arising in any way from its use.
> 
> The views expressed in this e-mail are those of the sender 
> and not necessarily the employees company. 
> 
> If you receive this e-mail in error please accept our 
> apology.  If this is the case we would be obliged if you 
> would contact the sender and then delete the e-mail.
> 
> --------------------------------------------------------
> 