Could this be a Win2k server with an open Terminal Service session?
You can look thru the IIS logs for successful (200) hits to root or cmd.
-----Original Message-----
From: Jay Woody [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 21, 2001 2:40 PM
To: NT System Admin Issues
Subject: Is there any way to know for sure? More Nimda stuff.
Maybe I am being paranoid. I have a server that the eeye scanner says is
not vulnerable, I don't see any .eml files on it and when I scan for files
changed since the 18th, there are no .exes. However, when I look at the
task list, it shows 2 CMD.EXEs open. I have one open but not two. Am I
being weird here? The second CMD.EXE un-nerves me, but I can't find any
other sign of infection. Is there any one, "sure fire" way to KNOW that the
box has been hit? Is there one registry entry or file or something that the
virus ALWAYS does so I can see if the box is hit?
I am thinking about re-building it, just in case, but if I can leave it up,
I would obviously prefer that. Any ideas?
JayW
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
