Here's a thing. Doing a routine check to make sure code red didn't make it past our firewall, and patches, and stuff, I found a copy of root.exe in inetpub/scripts of one of my servers. But no other signs of CR. No explorer.exe, no regsitry settings, no virtual roots, no threads, no wierd processes. Just root.exe. And according to the oldest backup we have, which is July 17th, it was there. First I saw of code red 1 was the 19th of July. Now, this box be old, and wasn't under IT control for a while. Does anybody know of any other IIS exploits that tend to drop a root.exe into inetpub/scripts? I'm pretty sure there are some.... Shayne Lebrun Senior Systems Administrator Veredex Logistics slebrun@xxxxxxxxxxx Office: (905) 282-1515 x 242 Pager: page_shayne@xxxxxxxxxxx From a Sun Microsystems bug report (#4102680): "Workaround: don't pound on the mouse like a wild monkey." Want to hold up a bank in Latin? "Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam." (I have a catapult. Give me all the money, or I will fling an enormous rock at your head.) "Lawyers are like chemical weapons. Everybody gets screwed if they're let out."