On Tue, Sep 18, 2001 at 04:07:59PM -0700, Nick Tonkin wrote:
>
> Heh, as Nat maybe saw the worm doesn't always request ?/c+dir, so until I
> can figure out a better way to identify it we'll have to go with
> cmd.exe|root.exe
Here's a sample Nimda hit (courtesy of 'nc -l -p 80' -- try it yourself
on a net-connected machine not already running a web server and just wait
a few seconds):
GET /scripts/root.exe?/c+dir HTTP/1.0
Host: www
Connnection: close
Note the "Host: www" header.
You can trap this one by setting up a virtualhost called 'www'.
