From: srock (a_at_localhost)
Date: Thu, 24 Jun 2004 11:49:27 -0400
Yes - please post the contents of the files.
"dh" <email@example.com> wrote in message
> As a follow up,
> I also found the files ftpcmd.txt, agent.exe and ads.vbs. The ftpcmd
> file looks to have been used to get the agent.exe file which received
> and ran the ads.vbs file. The ads.vbs file created the iis7xx.dll
> files as well as contacting the IIS admin service to turn on the
> DocFooter and point it at one of the .dlls for each web that was on
> the machine.
> The server is behind a PIX firewall and only IIS is exposed to the
> I can post the content of the ftpcmd and ads.vbs files if that's
> I also had trouble running the task manager - not sure what changed,
> but, later on I was able to start it from the command line.
> firstname.lastname@example.org (dh) wrote in message
> > Just found the same thing on a 2000 server. Six dlls we're place in
> > C:\WINNT\SYSTEM32\inetsrv. Each web on the system had the option to
> > append a file to the end of each request turned on and pointed to one
> > of the dlls. Also, all the system logs were filled with blank
> > entries.
> > I won't repost the as it matches the code below.
> > Has anyone found anything further or have any further ideas as how the
> > machine may have been compromised?
> > (I was just brought in when the problem happened, so, I can't speak
> > much to things like updates having been or not been done.)
> > -dh