> I think the patch isn't enough if you have command shells lying around
> in places where they can be reached via a URL into your document root.
Since I used IIS for local ASP testing only, I have simply de-installed it
for now.
> I'm not sure how you find them all. They won't always be called
cmd.exe - CodeRed left something called root.exe (I think).
I checked all cmd.exes around, they are all the same. I scanned _all_ exes
trying to find any simular to cmd.exe (by matching some of its internals).
Nothing simular. All I have original cmd.exes. No root.exes around.
If _it_ is there then where is it ?
Could it be so that outside NIMDA was trying to get a bad admin.dll down to
me by somehow running my cmd.exe/tftp.exe, but never succeeded ?
How did it do it ?
Why did not it succeed ?
What is the purpose of this request logged by my IIS ?
02:25:11 203.173.177.17 GET /scripts/..%2f../Admin.dll 500
I got this entry all over my IIS log files for last 2 weeks.
Is this to check if infected admin.dll finaly got to my PC ?
Regards
Alex
---------------------------------------------------------------------------
New Zealand Delphi Users group - Offtopic List - [EMAIL PROTECTED]
Website: http://www.delphi.org.nz
To UnSub, send email to: [EMAIL PROTECTED]
with body of "unsubscribe offtopic"
Web Archive at: http://www.mail-archive.com/offtopic%40delphi.org.nz/
