Security Incidents mailing list archives
Re: scans for root.exe
From: Daniel Harrison <danielh () loudcloud com>
Date: Thu, 16 Aug 2001 09:22:03 -0700
On the 8th of August w1rep4ir posted a script to vuln-dev that scanned for root.exe. <Quote> I also sent this message to incidents so sorry if you get it twice like I will ;). After seeing many posts on this "root.exe" backdoor, and encountering it 3 times in the field I decided to write a script that scans from startip to endip looking for root.exe in msadc/ and scripts/. It's not blazing fast but it definitely gets the job done. Feel free to modify it as you see fit. Just email me your modifications so i can see how you improved it and keep my name on it. </Quote> This could be what you are seeing. Also the sadmin/unicode worm created the root.exe as well. -dan Jacek Lipkowski wrote:
On Thu, 16 Aug 2001, David Pick wrote:These are attempts to use the "backdoor" left behind by the third main variant of the CodeRed worm. What command are they trying to execute? (should be passed as parameters to the query) or are they just looking to see if it's there at all?don't assume root.exe is code red specific, i've seen cmd.exe copied to the scripts directory named root.exe in one box that was probably hacked using the double-unicode-decode bug (or whatever it's called). this was a few months ago. root.exe just seems to be a popular name... jacek ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
-- Daniel Harrison Security Engineer Loudcloud, Inc. 408.744.7809 "Past performance does not guarantee future results." ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- scans for root.exe Kevin Holmquist (Aug 16)
- Re: scans for root.exe David Pick (Aug 16)
- Re: scans for root.exe Jacek Lipkowski (Aug 16)
- Re: scans for root.exe Daniel Harrison (Aug 16)
- Re: scans for root.exe Christian Kuhtz (Aug 16)
- Re: scans for root.exe Daniel Harrison (Aug 16)
- Re: scans for root.exe Jacek Lipkowski (Aug 16)
- Re: scans for root.exe David Pick (Aug 16)