[LUG] Code Red...

Warren Sanders sanders at MontanaLinux.Org
Fri Sep 28 09:30:35 MDT 2001

I have placed sym-links to one executable trying to help this little worm find
the bait in all prospective locations.  Still getting 404 results for most that
are "..%c1%1c../winnt/system32/cmd.exe?/c+dir" types.

I'm wondering if I should do something to the cgi-bin effect?  Should I have
placed the executable in the cgi-bin and sym-linked to it to make it run.  As it
is, if they find the files it probably just displays the unparsed code as it
does when I test it from a non infected NT4 workstation.

On Thu, 27 Sep 2001, Warren Sanders wrote:

> Date: Thu, 27 Sep 2001 16:21:53 -0600 (MDT)
> From: Warren Sanders <sanders at montanalinux.org>
> Reply-To: lug at lug.boulder.co.us
> To: Boulder Linux User's Group <lug at lug.boulder.co.us>
> Subject: Re: [LUG] Code Red...
> I have implemented this script as an executable named default.ida in my doc
> root.  Also copied it to root.exe and cmd.exe.  I noticed they are looking in
> /c/winnt/system32, /_vti_bin/, /scripts/, /_mem_bin/, /msadc/ and probably
> others.  Should I create these structures and put the files there as well; or
> will they find them anyway?

Warren Sanders

More information about the LUG mailing list