What is cmd.exe

[gdebacker]

I know this is non-vb related but I'm hoping an NT user can answer this for me.

In the past two days there have been 4775 attempts to download /winnt/system32/cmd.exe and 721 attempts to download /scripts/root.exe from my web site. The IP addresses that are trying all of this are 204.142.159.200 and 64.81.54.39, respectivly. I tried logging on to them with no luck.

Any ideas why?

Greg

[eiSecure]

cmd.exe is basically the DOS prompt.

[filburt1]

If you're running IIS (hehe ) get the latest patches from MS and update your virus definitions and scan your computer for viruses.

[eiSecure]

Originally posted by gdebacker
I know this is non-vb related but I'm hoping an NT user can answer this for me.

In the past two days there have been 4775 attempts to download /winnt/system32/cmd.exe and 721 attempts to download /scripts/root.exe from my web site. The IP addresses that are trying all of this are 204.142.159.200 and 64.81.54.39, respectivly. I tried logging on to them with no luck.

Any ideas why?

Greg

...this is part of a hack to gain Admin access to your NT system. They use root.exe to run arbitrary commands on your server, which will change/show the admin's password or create a new admin account.

The best way to stop this would probably be a firewall and/or setting permissions to the /scripts/root.exe folder.

[RyeBread]

They are trying to hack your web server.

That's bad.

[eiSecure]

Originally posted by RyeBread
They are trying to hack your web server.

That's bad.

...lol...since when would it be good?

[eiSecure]

No, renaming the exe doesn't give you root access.

[RyeBread]

Originally posted by eiSecure
...lol...since when would it be good?

When it's me!

[gdebacker]

I suspected it was a potential hack. My web server is hosted by Interland. After I posted here I called there tech support hotline and was told by the recording that they are having many complaints and all operaters are busy. I sat on hold for twenty minutes and gave up.

I'll try back later and keep an eye on my web site.

Greg

[FUBAR]

yea dude update your IIS patch or they can make their own dump file, and make your server a backup server for them, or they can take any fiel they want of yours, the reason they are accesssing your cmd.exe is because its a backdoor from IIS which allows them to type in commands in your dos-prompt

[gdebacker]

Originally posted by FUBAR
yea dude update your IIS patch or they can make their own dump file, and make your server a backup server for them, or they can take any fiel they want of yours, the reason they are accesssing your cmd.exe is because its a backdoor from IIS which allows them to type in commands in your dos-prompt

Thanks dude, but 6 people before you answered the question for me and I answered stating that Interland hosts the web site for me and that I had contacted them.

Greg

[BrianHawley]

If you have an IP address the hacks are coming from, you can look it up at:


http://www.samspade.org/

Once you know who owns the IP, write to them at abuse@domainname

Don't be too rude as it may be an ISP, a company or university who does not know about it, or it may be a hacked system being used as a staging post by another IP or hostile software on that system.

At all events you should COMPLAIN! Most hackers get away with it because nobody bothers to tell their ISP.

[gdebacker]

Originally posted by BrianHawley
If you have an IP address the hacks are coming from, you can look it up at:


http://www.samspade.org/

Once you know who owns the IP, write to them at abuse@domainname

Don't be too rude as it may be an ISP, a company or university who does not know about it, or it may be a hacked system being used as a staging post by another IP or hostile software on that system.

At all events you should COMPLAIN! Most hackers get away with it because nobody bothers to tell their ISP.

Thanks for the info. I'll keep that web site handy. I finally contacted Interland and they were aware of the problem and assured me the firewalls were in place and doing their job.

I'm glad I check my log files every week.

Greg