You're tellin' me, I've now had word come down that we need to do a full
audit of our Apache and *nix installations to make sure that they're okay.
Nevermind the fact that the only problems we have so far is people opening
up files called "readme.exe" in their e-mail.
*slapsforeheadinfrustration*
There are no stupid questions, but there are a lot of inquisitive idiots.
------------
Brian Nilsen
[EMAIL PROTECTED]
On Tue, 18 Sep 2001, Adi Fairbank wrote:
> I wish someone would just write a worm that would put these IIS machines out
> of their misery and stop causing the rest of us such a headache.
>
> Nick Tonkin wrote:
> >
> > Sorry for the off-topic post; there was a lot of discussion here of
> > CodeRed and Reuven's module to report attempted attacks.
> >
> > Since this a.m. I have had hundreds of requests like:
> >
> > /scripts/root.exe?/c+dir
> > /MSADC/root.exe?/c+dir
> > /c/winnt/system32/cmd.exe?/c+dir
> > /d/winnt/system32/cmd.exe?/c+dir
> > /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
> > /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
> > /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
> >
> > etc.
> >
> > They seem to come in batches of a dozen or more with slight variations in
> > the URI requested. I am thinking about adding support to CodeRed.pm (which
> > should probably be renamed if so) to report these attacks via e-mail in
> > the same way it does for CodeRed. Any interest in that? Or any info on
> > these bogus requests?
> >
> > ~~~~~~~~~~~
> > Nick Tonkin
>
>
