[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: code red goes on

Karsten M. Self wrote:

> Hmmm:
>     grep 'default\.ida' /var/log/apache/access.log | awk '{print $1}' 
> ...gives a hostlist.  Anyone know of a central repository who might be
> collecting same and sending LARTs to the appropriate sysops?  Or is that
> a complete !@#$%^&*() waste of time?  Any way to test an IP to see if
> it's been compromised?

If it's sending you HTTP GET /default.ida?NNNNNNNNNNN..., then it's
definitely compromised. Other than that, I don't think so.

> I'm running 'host' against a bunch of IPs (I've got about 40), turning
> up a bunch of '<ip> does not exist' responses.

Many of them are DHCP addresses (dialup or PPPOE), so they'll come and
go, and the machine that has the address now may not be the one that
tried to infect you an hour ago.

Last month, I checked a dozen or so machines that tried to attack me.
Some of them were actual business web sites. This time, they seem to be
almost all end-user cable/DSL/dialup systems (to judge from their domain
names), none of which seem to reply with anything useful if you send
them a "GET /". My guess is these are default Windows NT installations
where the user doesn't even know he has IIS running.


Reply to: