[thelist] failure notice (& CF TIP)

Daniel J. Cody djc at starkmedia.com
Wed Sep 19 09:20:36 CDT 2001

One more tip while people are tossing them about about virii and windows..

Search your IIS server for a file called root.exe and delete it - if you 
have it you've been compromised. *NO* patches from MS delete this file.

Ironically, I blogged this last week:
root.exe allows anyone on the internet to have commands on the machine 
executed with web server privileges, and can typically be used to set up 
logging of credit card information and other sensitive data on SSL 
servers. This has created a new class of ecommerce site which has been 
correctly patched for known server vulnerabilities, but have a live 
backdoor facility enabling attackers to continue to remain in control of 
the machine.

typcially you'll find the file in the inetpub/scripts directory. I had 
four clients yesterday who had their machines 100% patched, but were 
still being controlled through the root.exe file. whats more scary is 
13% of *SSL* IIS websites on the internet have the root.exe exploit 
installed on them according to Netcraft..


Richard H. Morris wrote:

> John Handelaar [genghis at members.evolt.org] wrote:
>>-----Original Message-----
>>Utterly unhelpful.  Way to go, Richard.
>>The answer:
>>1	Look for all instances of README.EXE on your local
>>	disks and delete them
>>2	Search the registry for 'macrosoft' and remove the
>>	keys
>>3	Uninstall IIS and Windows Scripting Server on your
>>	desktop machine
>>4	Disable 'active scripting' in IE at all 4 security
>>	settings.  Better still, get Mozilla 0.9.4 instead
>>	'cos it's (believe it or not) more robust and doesn't
>>	suffer from the security bug which enables one
>>	of this worm's 6 or 7 methods of propagation.
> Re: 4, just get a Mac and don't worry about Wintel executables? Just as
> helpful advice...

More information about the thelist mailing list