[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: code red goes on



on Fri, Aug 03, 2001 at 02:54:01PM +0000, John Griffiths (john@capmon.com) wrote:
> if you grep your http access log for "default.ida" (good sign of a
> code red attempt on an apache box)
> 
> you'll see that code red has infected as many new machines in the alst
> two days as it did on 20 July

Hmmm:

    grep 'default\.ida' /var/log/apache/access.log | awk '{print $1}' 

...gives a hostlist.  Anyone know of a central repository who might be
collecting same and sending LARTs to the appropriate sysops?  Or is that
a complete !@#$%^&*() waste of time?  Any way to test an IP to see if
it's been compromised?

...or a good way to grab the relevant data and mail your own report?

I'm running 'host' against a bunch of IPs (I've got about 40), turning
up a bunch of '<ip> does not exist' responses.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
  What part of "Gestalt" don't you understand?          There is no K5 cabal
    http://gestalt-system.sourceforge.net/           http://www.kuro5hin.org
Free Dmitry!! Boycott Adobe!! Repeal the DMCA!!  http://www.freesklyarov.org

Attachment: pgpHnBBdaXqEg.pgp
Description: PGP signature


Reply to: