Am Son, 07 Okt 2001 schrieb John Trickey:
Actually this is an attempt to use the backdoor which is installed by CodeRed II. It copies the cmd.exe to the scripts directory as root.exe and, if the backdoor is active, allows
snip
I think the part of deleting of such messages is missing, but no poblem to insert.
I think you are missing the point here. We were discussing the first phase of the nimda worm which is to infect an unpatched IIS web server. If you want to know more read http://www.incidents.org/react/nimda.pdf but its a bit verbose. BTW, If you do quote me, make sure its my words you quote not someone elses as you did above. I can excuse you as it seems my stupid mailer managed to quote paragraphs instead of lines - oh free me from M$ ;-/ John