Massive Hacker Strike
Important News!
If you have Windows NT/IIS WebServer check it out!
Massive Hacker strike.
This is an extremely serious vulnerability, and we strongly encourage all users to immediately apply the Microsoft patch. An attacker could use this vulnerability to gain complete control of an affected web server. Worse, the vulnerability could be exploited from the Internet in most cases.
For instance, in working with Microsoft on this issue, eEye Digital Security, the company that discovered the vulnerability, demonstrated a scenario in which it could be used to open a command prompt on an affected web server. Through such a scenario, an attacker on the Internet could execute any desired command on the server.
Symptoms:
For all those running Win2k/NT, I highly advise you go to the
inetpub\scripts directory and verify that there is no root.exe or anything
similar in that directory, there's a few more things to look at, but I will
not go in detail of what they are. Go to:
http://builder.cnet.com/webbuilding/0-7532-8-4877567-1.html?tag=st.bl.7532.e
(thanks Jose for the info!)
How to defeat:
On Windows 2000
1. Remove the files root.exe and other overwritten files (like
default.htm, index.htm, default.asp and index.asp containing the hackers
message)
2. If you don't have Service Pack 1 - definitely apply it
3. Go to Microsoft and apply all the extra security fixes.
You can find those on
http://www.microsoft.com/windows2000/downloads/critical/default.asp
(you can apply them all at once, there's no need to reboot each time - just the last time)
Comments
Yeah I got bitten by that one!
I assume its the same hackers doing most of the sites. The Anti USA message is created as a series of default pages in your main web root and then in any subdirectory below it. I was not aware of root.exe before this hack happened. It gives the hacker a great deal of control over the machine running it. They could do a lot more damage than what they did. I immediatly removed root.exe when I discovered the problem. If you are unsure if you have been hacked, open your web logs and do a search for "root.exe"
I did a traceroute on the offending IP and it traced back to a location in China. This may be a spook of some sort, it looks like someone is trying to start trouble between the two countries.
All a bit childish.
Nic
You must me logged in to write a comment.