I just tried to click on the photo gallery navigation button and when I did it came up with hacked by redworm! Is anyone else getting this?

Yes! You're hallucinating! There's no black background, pix of a girl (dream of a hacker who spends mosts nights in front of his computer) or pro-turkish-hacker messages on this page...
ahem...
hehehe.,...
yes, there is!
I sent a mail to forum admin telling him, i didn't want to add this to the forum but hey... you did! ;-)
Hope this is not too bad.

Phil.

At least two variants of the Code Redworm exist: the original, which advertises its presence by defacing web sites, and a variant that does not deface web sites. Both variants follow the same pattern of rapid propagation. According to Maiffret and Permeh, a single host can infect up to a half million IIS web sites per day.

When Code Red infects a vulnerable IIS site, the worm opens up 100 threads. Ninety-nine of the threads are used for nineteen days of scanning and infecting other IIS web sites. On the twentieth day of the month, each of the 99 threads launches a denial of service (DoS) attack against a White House web server at 198.137.240.91. The 100th thread has a limited purpose. If the code page for the operating system indicates that it uses the English language, then the thread is used to deface html output from the web server for 10 hours. The original web pages are unmodifed. The defacing occurs in memory. After that time period, the thread goes dormant.

The worm has a check for a file called "c:\notworm". If this file is present, then the worm does not infect the system. Maiffret and Ryan compared this behavior to the "Lysine defficiency" mentioned in Jurassic Park . In the novel by Michael Crichton, the lack of this enzyme elsewhere kept the dinosaurs from spreading off their island sanctuary.

The Code Red worm is a harbinger of more complex worms that exist entirely in memory. Their detection will have to be handled largely by intrusion detection systems and host-based defenses like personal firewalls such as SecureIIS and BlackICE Defender for servers, and through on-access anti-virus monitors.

The initial reaction by IIS administrators to the Code Red worm did worry Maifrett.

"I am not surprised that IIS administrators handled installed the patch," Maifrett said. "I was surprised though at the very large percentage that did not install the patch. I hope that CodeRed has worked as a wakeup call - however I doubt it - to let administrators know that patching systems is very important. Code Red could have been written to do much worse things, like truly bringing down large parts of the Internet."

Thanks for the info on this - I'm in Cincinnati for the conference just now and so can only do a quick fix, but I appreciate you letting me know.

I've scanned the server and not found any infected file - but obviously they found a way to change that php gallery home page without normal permissions.

Everything else seems fine with no unusual threads, so I think it was the gallery front page only at this point.

Russ