Re: Event ID.16 - I'm I under attack?
From: mike singer (email@example.com)
From: "mike singer" <firstname.lastname@example.org> Date: Wed, 26 Mar 2003 10:50:19 -0500
You cleary have been victimized by a prior attack (one which you might be
patched against now)
The attack has clearly put a copy of cmd.exe in your home directory and
renamed it root.exe. Since the world has had pretty complete control of
your machine for some time, I would view the machine as very questionable.
ie. what would it take to completely wipe it. You can easily find the
obvious remnants of the attack, but I would be worried about less obvious
"Wizard" <wizard@NOSPAM.zykes.com> wrote in message
> I have had a coupple of strange incidences on my Win 2K server, SP3
> The web service becomes inaccessible, and the server needs a reboot
> to work again.
> I have looked through my Event Viewer and under System I find several
> simelar Errors only with different IP addresses within the same IP range:
> The script started from the URL '/scripts/root.exe' with parameters
> '/c+ping+-n+2048+-l+30000+xxx.xxx.xxx.xxx' has not responded within the
> configured timeout period. The HTTP server is terminating the script.
> For additional information specific to this message please visit the
> Online Support site located at:
> This has happend 2 times yesterday, and once today. I don't have any more
> helpful info at the moment. I have assigned a Linux box to logg activety
> part of my LAN and I will hopefully get some more information during some
> Any help will be appreciated, best for the day!