On Wed, 2003-11-12 at 23:35, Bryan Murdock wrote: > I'm running apache on my linux box at home (comcast cable connection) > and my access_log is full of lines like this: > > 12.231.0.23 - - [12/Nov/2003:19:40:39 -0800] "GET /MSADC/root.exe?/c+dir > HTTP/1.0" 404 358 "-" "-" > 12.231.0.23 - - [12/Nov/2003:19:40:54 -0800] "GET > /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 372 "-" > "-" > > A quick search on google tells me this is either nimda or code red > trying to exploit IIS, and that I should notify the ISP that owns the > address where these are coming from. Sounds like a good idea to me, but > I'm not seeing anything on the comcast webpage (do a whois on the > address and it's for sure a comcast one) where I can call or email this > sort of thing in. Anybody here done that before? Is it worth the > trouble?
A slightly longer google search will reveal how one guy wrote scripts to call back the abuser and exploit the vulnerabilities on their machine to shut them down and leave them a message about how to fix it all automagically and in real-time. ____________________ BYU Unix Users Group http://uug.byu.edu/ ___________________________________________________________________ List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list
