Re: scans for root.exe

[Daniel Harrison <danielh () loudcloud com>]

On the 8th of August w1rep4ir posted a script to vuln-dev that scanned for
root.exe.

<Quote>
I also sent this message to incidents so sorry if you get it twice like I will
;).
After seeing many posts on this "root.exe" backdoor, and encountering
it 3 times in the field I decided to write a script that scans from startip to
endip looking for root.exe in msadc/ and scripts/. It's not blazing fast but it
definitely gets the job done. Feel free to modify it as you see fit. Just email
me your modifications so i can see how you improved it and keep my name on it.
</Quote>

This could be what you are seeing. Also the sadmin/unicode worm created the
root.exe as well.

-dan


Jacek Lipkowski wrote:

> On Thu, 16 Aug 2001, David Pick wrote:
>
> > These are attempts to use the "backdoor" left behind by the third
> > main variant of the CodeRed worm. What command are they trying to
> > execute? (should be passed as parameters to the query) or are they
> > just looking to see if it's there at all?
>
> don't assume root.exe is code red specific, i've seen cmd.exe copied to
> the scripts directory named root.exe in one box that was probably hacked
> using the double-unicode-decode bug (or whatever it's called). this was a
> few months ago.
>
> root.exe just seems to be a popular name...
>
> jacek
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

--
Daniel Harrison    Security Engineer    Loudcloud, Inc.
408.744.7809
"Past performance does not guarantee future results."



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com