> -----Original Message-----
> From: Nick Tonkin [mailto:[EMAIL PROTECTED]]
>
> Sorry for the off-topic post; there was a lot of discussion here of
> CodeRed and Reuven's module to report attempted attacks.
>
> Since this a.m. I have had hundreds of requests like:
>
> /scripts/root.exe?/c+dir
> /MSADC/root.exe?/c+dir
> /c/winnt/system32/cmd.exe?/c+dir
> /d/winnt/system32/cmd.exe?/c+dir
> /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
> /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
> /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
>
> etc.
>
> They seem to come in batches of a dozen or more with slight
> variations in
> the URI requested. I am thinking about adding support to
> CodeRed.pm (which
> should probably be renamed if so) to report these attacks via
> e-mail in
> the same way it does for CodeRed. Any interest in that? Or any info on
> these bogus requests?
Lots of talk on Slashdot about this at the moment. Basically it's like Code
Red on steroids. It started spreading at about 9am GMT (we'll have a
bulletin out about it soon, keep checking http://www.messagelabs.com), and
has *already* reached critical mass. Our heuristical virus scanner stopped
spreading via email for all our customers, but we don't protect against
worms. The reason this is spreading via email too is that it modifies all
the files on your web server to add in a javascript popup attachment
containing "readme.eml", which outlook dutifully opens and executes the
contents, spreading the worm even for people who don't run IIS (unless they
have our email virus protection service :-)
This one's gonna grind the net to a halt pretty quick. I hate to think what
this will mean for people running web servers at home over DSL (including me
soon).
Matt.
_____________________________________________________________________
This message has been checked for all known viruses by Star Internet
delivered through the MessageLabs Virus Scanning Service. For further
information visit http://www.star.net.uk/stats.asp or alternatively call
Star Internet for details on the Virus Scanning Service.
