Since (1) Microso~1 has probably got themselves all patched up, and
(2) the folks who the CodeRed Worm is coming from obviously don't, and
(3) someone mentioned this on Advogato and I liked the idea, I changed
our 404 handler to a play on the 'Where do you want to go today'
slogan, informing the IIS administrator that they are infected (if
they check their logs)...
<?
if (eregi("default.ida", $REQUEST_URI)) {
header("Location:
http://$REMOTE_ADDR/YOU_HAVE_THE_CODE_RED_WORM___MORON____WHY_DIDNT_YOU_PATCH_YOUR_IIS_TODAY???.HTM";);
}
?>
Of course, if the URL doesn't have the string 'default.ida', you still
get the HTML simulated blue screen. :)
-Rob
