Matt Sergeant wrote:
> > -----Original Message-----
> > From: Nick Tonkin [mailto:[EMAIL PROTECTED]]
> >
> > Sorry for the off-topic post; there was a lot of discussion here of
> > CodeRed and Reuven's module to report attempted attacks.
> >
> > Since this a.m. I have had hundreds of requests like:
> >
> > /scripts/root.exe?/c+dir
> > /MSADC/root.exe?/c+dir
> > /c/winnt/system32/cmd.exe?/c+dir
> > /d/winnt/system32/cmd.exe?/c+dir
> > /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
> > /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
> > /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
> >
<...>
>
> This one's gonna grind the net to a halt pretty quick. I hate to think
what
> this will mean for people running web servers at home over DSL (including
me
> soon).
>
Any suggestions on how we should respond? Update Apache::CodeRed to
recognise the new signature, and send an appropriate message to postmaster
and webmaster with an updated URL to point to?
Assuming this is the right approach, is there an 'official' page about this
virus to point to in the message sent to infected hosts? And should
SecurityFocus be notified?
Reuven--are you planning on submitting an updated version to CPAN for this
worm? With the same name?
Thanks for any suggestions,
Jeremy
