Re: Event ID.16 - I'm I under attack?

From: mike singer (nospam_zookeeper@wwwhr.com)
Date: 03/26/03


From: "mike singer" <nospam_zookeeper@wwwhr.com>
Date: Wed, 26 Mar 2003 10:50:19 -0500


You cleary have been victimized by a prior attack (one which you might be
patched against now)
The attack has clearly put a copy of cmd.exe in your home directory and
renamed it root.exe. Since the world has had pretty complete control of
your machine for some time, I would view the machine as very questionable.
ie. what would it take to completely wipe it. You can easily find the
obvious remnants of the attack, but I would be worried about less obvious
traces.

"Wizard" <wizard@NOSPAM.zykes.com> wrote in message
news:u34tG1s8CHA.2284@TK2MSFTNGP12.phx.gbl...
> Greeting,
>
> I have had a coupple of strange incidences on my Win 2K server, SP3
> The web service becomes inaccessible, and the server needs a reboot
> to work again.
>
> I have looked through my Event Viewer and under System I find several
> simelar Errors only with different IP addresses within the same IP range:
>
> The script started from the URL '/scripts/root.exe' with parameters
> '/c+ping+-n+2048+-l+30000+xxx.xxx.xxx.xxx' has not responded within the
> configured timeout period. The HTTP server is terminating the script.
> For additional information specific to this message please visit the
> Microsoft
> Online Support site located at:
> http://www.microsoft.com/contentredirect.asp.
>
> This has happend 2 times yesterday, and once today. I don't have any more
> helpful info at the moment. I have assigned a Linux box to logg activety
in
> that
> part of my LAN and I will hopefully get some more information during some
> hours....
>
> Any help will be appreciated, best for the day!
>
> Wizard
>
>