Massive Hacker Strike

Important News!

If you have Windows NT/IIS WebServer check it out!
Massive Hacker strike.

This is an extremely serious vulnerability, and we strongly encourage all users to immediately apply the Microsoft patch. An attacker could use this vulnerability to gain complete control of an affected web server. Worse, the vulnerability could be exploited from the Internet in most cases.

For instance, in working with Microsoft on this issue, eEye Digital Security, the company that discovered the vulnerability, demonstrated a scenario in which it could be used to open a command prompt on an affected web server. Through such a scenario, an attacker on the Internet could execute any desired command on the server.

Symptoms:

For all those running Win2k/NT, I highly advise you go to the
inetpub\scripts directory and verify that there is no root.exe or anything
similar in that directory, there's a few more things to look at, but I will
not go in detail of what they are. Go to:

http://builder.cnet.com/webbuilding/0-7532-8-4877567-1.html?tag=st.bl.7532.e

(thanks Jose for the info!)

How to defeat:

On Windows 2000

1. Remove the files root.exe and other overwritten files (like
default.htm, index.htm, default.asp and index.asp containing the hackers
message)
2. If you don't have Service Pack 1 - definitely apply it
3. Go to Microsoft and apply all the extra security fixes.

You can find those on

http://www.microsoft.com/windows2000/downloads/critical/default.asp

(you can apply them all at once, there's no need to reboot each time - just the last time)