Re: code red goes on
On Thu, Aug 02, 2001 at 10:08:56PM -0700, Karsten M. Self wrote:
> on Fri, Aug 03, 2001 at 02:54:01PM +0000, John Griffiths (john@capmon.com) wrote:
> > if you grep your http access log for "default.ida" (good sign of a
> > code red attempt on an apache box)
> >
> > you'll see that code red has infected as many new machines in the alst
> > two days as it did on 20 July
>
> Hmmm:
>
> grep 'default\.ida' /var/log/apache/access.log | awk '{print $1}'
>
> ...gives a hostlist. Anyone know of a central repository who might be
> collecting same and sending LARTs to the appropriate sysops? Or is that
> a complete !@#$%^&*() waste of time? Any way to test an IP to see if
> it's been compromised?
>
From what little I have read about it the site in question is defaced
if it is a page containing English. I'm sure someone who has payed more
attention could list exactly what it does. Out of 38 sites I checked I
only saw one that had been defaced. Close to about half the sites I
visited were non-English sites. I checked them with -
$ for i in $(grep default /var/log/apache/access.log | awk '{print $1}');do
> lynx $i
> sleep 5 # in order to catch the ip
> done
I don't know if that is along the lines you were thinking but...
Many of the sites were "under construction."
kent
--
From seeing and seeing the seeing has become so exhausted
First line of "The Panther" - R. M. Rilke
Reply to: