Re: Event ID.16 - I'm I under attack?

From: mike singer (
Date: 03/26/03

From: "mike singer" <>
Date: Wed, 26 Mar 2003 10:50:19 -0500

You cleary have been victimized by a prior attack (one which you might be
patched against now)
The attack has clearly put a copy of cmd.exe in your home directory and
renamed it root.exe. Since the world has had pretty complete control of
your machine for some time, I would view the machine as very questionable.
ie. what would it take to completely wipe it. You can easily find the
obvious remnants of the attack, but I would be worried about less obvious

"Wizard" <> wrote in message
> Greeting,
> I have had a coupple of strange incidences on my Win 2K server, SP3
> The web service becomes inaccessible, and the server needs a reboot
> to work again.
> I have looked through my Event Viewer and under System I find several
> simelar Errors only with different IP addresses within the same IP range:
> The script started from the URL '/scripts/root.exe' with parameters
> '/' has not responded within the
> configured timeout period. The HTTP server is terminating the script.
> For additional information specific to this message please visit the
> Microsoft
> Online Support site located at:
> This has happend 2 times yesterday, and once today. I don't have any more
> helpful info at the moment. I have assigned a Linux box to logg activety
> that
> part of my LAN and I will hopefully get some more information during some
> hours....
> Any help will be appreciated, best for the day!
> Wizard