It's not a virus. You've been hacked! Someone has gained access to your system. First thing is first, unplug it from the network. Now you've got to find out how they got in and close those doors. Make sure you have the latest service packs and security updates. Greg Foulks, MCP NewFound Technologies, Inc. http://www.nfti.com Email: greg.foulks@xxxxxxxx Voice: 614.318.5036 Fax: 614.318.5005 -----Original Message----- From: Christian Villeneuve [mailto:Christian.Villeneuve@xxxxxxxx] Sent: Thursday, September 20, 2001 12:56 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: IIS - inetpub\adminscripts directory has 2 htm files http://www.ISAserver.org Could you clarify what you mean by a Search and destroy? I have scanned the entire server for viruses and I have not found any. What other methods do you propose? Take care, -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Thursday, September 20, 2001 12:56 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: IIS - inetpub\adminscripts directory has 2 htm files http://www.ISAserver.org You've been hacked, buddy! It's not Nimda or Code Red, but you've been hit by someone. Time to start a "search and destroy" misson on your web servers. Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: "Christian Villeneuve" <Christian.Villeneuve@xxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, September 20, 2001 09:34 Subject: [isalist] IIS - inetpub\adminscripts directory has 2 htm files http://www.ISAserver.org I was wondering if someone can help on this. I found these 2 htm files in my Inetpub\adminscripts directory that displays "F*** USA Government F*** PoisonBOx, contact: sysadmen@xxxxxxxxxxxx <mailto:sysadmen@xxxxxxxxxxxx> ". I have scanned the directory and my entire drive for viruses but none were found. What should these 2 htm files display and/or can I delete them? Best regards, Christian Villeneuve ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: Christian.Villeneuve@xxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: greg.foulks@xxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')