> Note that this *only* catches machines which have been infected with
> CodeRed2, which leaves a leftover /scripts/root.exe to play with.
> If someone wants to tell me how to do this with some of the other
> vulnerabilities that Nimda tries to use, I'd be grateful. :)
>
This is an interesting approach, I might try it as well ;-) So far I
have denied access to all .exe and .ida files on our most affected
machines, this at least reduces the impact on the file system (looking
up a non-existent file) because it gets blocked before that stage (at
least I hope so).
Nimda is looking for scripts\cmd.exe according to our logs.
Do you have some proof that your method actually works? (Tried
www.it.ca/default.ida which just gave a 404.)
Kai
--
Kai Sch�tzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org
ClubWin - Help for Windows Users: http://www.clubwin.com
