-
3
- #1
Has your machine been hit by code red :~/? If you removed it and installed the patch you are safe from future infections. But be aware that the code red worm(s) leave 2 dangerous backdoors for hackers which they can use to deface your site:
1) A copy of cmd.exe named root.exe in your inetpub\scripts directory which hackers can use to run commands on the server as IUSR_machinename (internet guest account). This can be used to dump pages and overwrite your existing files. Delete root.exe from the scripts directory
2) A virtual directory called 'c' in the server root which points to the c:\ drive. So even if you have deleted root.exe, someone could put it back there by using
You should delete this virtual directory in the Internet Services Manager snap-in.
I hope this helps people secure their servers ;-) <--"Didn't your code work? You must have made a mistake when you pasted it." - Mark Hazen-->
If this post was useful to you, click the link below
1) A copy of cmd.exe named root.exe in your inetpub\scripts directory which hackers can use to run commands on the server as IUSR_machinename (internet guest account). This can be used to dump pages and overwrite your existing files. Delete root.exe from the scripts directory
2) A virtual directory called 'c' in the server root which points to the c:\ drive. So even if you have deleted root.exe, someone could put it back there by using
You should delete this virtual directory in the Internet Services Manager snap-in.
I hope this helps people secure their servers ;-) <--"Didn't your code work? You must have made a mistake when you pasted it." - Mark Hazen-->
If this post was useful to you, click the link below
