I wonder if you could write your own cmd.exe that displays a "sea" prompt or whatever and logs what they try to do.
Running as a very unpriviliged user, of course. On Thu, 31 Jan 2002, you wrote: > At home I dealt with it like this: > > from /var/www > ... > ddrwxr-xr-x 4 root root 1024 Dec 2 12:54 IIS_Worms > lrwxrwxrwx > 1 root root 9 Dec 2 12:51 MSADC -> IIS_Worms > lrwxrwxrwx 1 > root root 9 Dec 2 12:53 _mem_bin -> IIS_Worms > lrwxrwxrwx > 1 root root 9 Dec 2 12:54 _vti_bin -> IIS_Worms > ... > > caffeine:/var/www# l IIS_Worms/ > total 1 > -rw-r--r-- 1 root root > 0 Dec 2 12:51 cmd.exe > -rw-r--r-- 1 root root 0 Dec 2 > 12:50 root.exe > drwxr-xr-x 2 root root 1024 Dec 2 12:52 > winnt > > The remote machine gets a 200 rather than a 404, which gets logged as an > access by apache, rather than an error. Kind-of moving the symptoms rather > than dealing to the problem > > The main drawback is that webaliser reports the most popular files on my > web server are root.exe and so on... ten times more popular than > /index.html > > As an aside, in the days of code red 1 I had /var/www/default.ida linked to > /dev/zero, but it generated an unbelievable amount of traffic.
