[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: code red goes on

On Thu, Aug 02, 2001 at 10:08:56PM -0700, Karsten M. Self wrote:
> on Fri, Aug 03, 2001 at 02:54:01PM +0000, John Griffiths (john@capmon.com) wrote:
> > if you grep your http access log for "default.ida" (good sign of a
> > code red attempt on an apache box)
> > 
> > you'll see that code red has infected as many new machines in the alst
> > two days as it did on 20 July
> Hmmm:
>     grep 'default\.ida' /var/log/apache/access.log | awk '{print $1}' 
> ...gives a hostlist.  Anyone know of a central repository who might be
> collecting same and sending LARTs to the appropriate sysops?  Or is that
> a complete !@#$%^&*() waste of time?  Any way to test an IP to see if
> it's been compromised?

 From what little I have read about it the site in question is defaced
if it is a page containing English.  I'm sure someone who has payed more
attention could list exactly what it does.  Out of 38 sites I checked I
only saw one that had been defaced.  Close to about half the sites I
visited were non-English sites.  I checked them with -

$ for i in $(grep default /var/log/apache/access.log | awk '{print $1}');do
> lynx $i
> sleep 5  # in order to catch the ip
> done

I don't know if that is along the lines you were thinking but...
Many of the sites were "under construction."

 From seeing and seeing the seeing has become so exhausted
     First line of "The Panther" - R. M. Rilke

Reply to: