If this is an IIS server and was previously infected with CodeRed, it can still be hacked into even if the patches are current. Look for root.exe in the inetpub\scripts directory.
Symantec's site has removal instructions if that's your problem.
>>> [log in to unmask] 11/01/01 03:11PM >>>
Very frustrating. bard.cal.msu.edu is my box. It was hit by nimda in september.
It was formatted and reloaded from a sept 8 backup, fully patched according to
microsoft downloads and yet it has been exploited again. I am obviously missing
something but I don't know what. I had noticed unusual activity and had the box
off the wire before Gene's email went out. I was probed by 220.127.116.11 and
18.104.22.168 but my log shows 404's so I don't know how the heck they got in.
Any help in buttoning this up would be much appreciated.
Arts and Letters