On the 8th of August w1rep4ir posted a script to vuln-dev that scanned for root.exe. <Quote> I also sent this message to incidents so sorry if you get it twice like I will ;). After seeing many posts on this "root.exe" backdoor, and encountering it 3 times in the field I decided to write a script that scans from startip to endip looking for root.exe in msadc/ and scripts/. It's not blazing fast but it definitely gets the job done. Feel free to modify it as you see fit. Just email me your modifications so i can see how you improved it and keep my name on it. </Quote> This could be what you are seeing. Also the sadmin/unicode worm created the root.exe as well. -dan Jacek Lipkowski wrote: > On Thu, 16 Aug 2001, David Pick wrote: > > > These are attempts to use the "backdoor" left behind by the third > > main variant of the CodeRed worm. What command are they trying to > > execute? (should be passed as parameters to the query) or are they > > just looking to see if it's there at all? > > don't assume root.exe is code red specific, i've seen cmd.exe copied to > the scripts directory named root.exe in one box that was probably hacked > using the double-unicode-decode bug (or whatever it's called). this was a > few months ago. > > root.exe just seems to be a popular name... > > jacek > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com -- Daniel Harrison Security Engineer Loudcloud, Inc. 408.744.7809 "Past performance does not guarantee future results." ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Aug 16 2001 - 10:10:37 PDT