Re: IIS - inetpub\adminscripts directory has 2 htm files

• From: "Christian Villeneuve" <Christian.Villeneuve@xxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 20 Sep 2001 19:04:41 -0400

Thanks for the Tips.

I think I have it cleaned up now.  It seemed to be the 2nd or 3rd
generation of Code Red, but did not infect everything.

I do believe I eliminated the left over that was on our Server.

Best regards and thanks again,




 -----Original Message-----
From:   Mark W. Carr [mailto:Mark.Carr@xxxxxxxxxxxxxxxx] 
Sent:   Thursday, September 20, 2001 4:49 PM
To:     [ISAserver.org Discussion List]
Subject:        [isalist] Re: IIS - inetpub\adminscripts directory has 2
htm     files

http://www.ISAserver.org


Check out this link for more information on Poison Box.
http://vil.mcafee.com/dispVirus.asp?virus_k=99085&; 
This more than likely happened around the time of the China VS US
hackfest
in April and May.

Mark W. Carr
System Administrator
The Foreign Candy Company
(712) 439-3219
mark.carr@xxxxxxxxxxxxxxxx 


-----Original Message-----
From: Greg Foulks [mailto:greg.foulks@xxxxxxxx]
Sent: Thursday, September 20, 2001 12:09 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: IIS - inetpub\adminscripts directory has 2 htm
files


http://www.ISAserver.org


It's not a virus. You've been hacked! Someone has gained access to your
system. First thing is first, unplug it from the network. Now you've got
to
find out how they got in and close those doors. Make sure you have the
latest service packs and security updates.

Greg Foulks, MCP
NewFound Technologies, Inc.
http://www.nfti.com
Email: greg.foulks@xxxxxxxx
Voice: 614.318.5036
Fax: 614.318.5005


-----Original Message-----
From: Christian Villeneuve [mailto:Christian.Villeneuve@xxxxxxxx]
Sent: Thursday, September 20, 2001 12:56 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: IIS - inetpub\adminscripts directory has 2 htm
files


http://www.ISAserver.org


Could you clarify what you mean by a Search and destroy?

I have scanned the entire server for viruses and I have not found any.

What other methods do you propose?

Take care,



 -----Original Message-----
From:   Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent:   Thursday, September 20, 2001 12:56 PM
To:     [ISAserver.org Discussion List]
Subject:        [isalist] Re: IIS - inetpub\adminscripts directory has 2
htm files

http://www.ISAserver.org


You've been hacked, buddy!
It's not Nimda or Code Red, but you've been hit by someone.
Time to start a "search and destroy" misson on your web servers.

Jim Harrison
MCP(2K), A+, Network+, PCG


----- Original Message -----
From: "Christian Villeneuve" <Christian.Villeneuve@xxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, September 20, 2001 09:34
Subject: [isalist] IIS - inetpub\adminscripts directory has 2 htm files


http://www.ISAserver.org


I was wondering if someone can help on this.

I found these 2 htm files in my Inetpub\adminscripts directory that
displays "F*** USA Government F*** PoisonBOx, contact:
sysadmen@xxxxxxxxxxxx <mailto:sysadmen@xxxxxxxxxxxx> ".

I have scanned the directory and my entire drive for viruses but none
were found.

What should these 2 htm files display and/or can I delete them?

Best regards,


Christian Villeneuve

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
Christian.Villeneuve@xxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
greg.foulks@xxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
mark.carr@xxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
Christian.Villeneuve@xxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » IIS - inetpub\adminscripts directory has 2 htm files
• » Re: IIS - inetpub\adminscripts directory has 2 htm files
• » Re: IIS - inetpub\adminscripts directory has 2 htm files
• » Re: IIS - inetpub\adminscripts directory has 2 htm files
• » Re: IIS - inetpub\adminscripts directory has 2 htm files
• » Re: IIS - inetpub\adminscripts directory has 2 htm files
• » Re: IIS - inetpub\adminscripts directory has 2 htm files
• » RE: IIS - inetpub\adminscripts directory has 2 htm files
• » Re: IIS - inetpub\adminscripts directory has 2 htm files
• » Re: IIS - inetpub\adminscripts directory has 2 htm files
• » Re: IIS - inetpub\adminscripts directory has 2 htm files

1. Home
2. isalist
3. Archive
4. 09-2001

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---