[LUG] Code Red...
sanders at MontanaLinux.Org
Fri Sep 28 09:30:35 MDT 2001
I have placed sym-links to one executable trying to help this little worm find
the bait in all prospective locations. Still getting 404 results for most that
are "..%c1%1c../winnt/system32/cmd.exe?/c+dir" types.
I'm wondering if I should do something to the cgi-bin effect? Should I have
placed the executable in the cgi-bin and sym-linked to it to make it run. As it
is, if they find the files it probably just displays the unparsed code as it
does when I test it from a non infected NT4 workstation.
On Thu, 27 Sep 2001, Warren Sanders wrote:
> Date: Thu, 27 Sep 2001 16:21:53 -0600 (MDT)
> From: Warren Sanders <sanders at montanalinux.org>
> Reply-To: lug at lug.boulder.co.us
> To: Boulder Linux User's Group <lug at lug.boulder.co.us>
> Subject: Re: [LUG] Code Red...
> I have implemented this script as an executable named default.ida in my doc
> root. Also copied it to root.exe and cmd.exe. I noticed they are looking in
> /c/winnt/system32, /_vti_bin/, /scripts/, /_mem_bin/, /msadc/ and probably
> others. Should I create these structures and put the files there as well; or
> will they find them anyway?
More information about the LUG