Re: code red goes on

To: debian-user@lists.debian.org
Subject: Re: code red goes on
From: Craig Dickson <crdic@yahoo.com>
Date: Thu, 2 Aug 2001 23:27:42 -0700
Message-id: <[🔎] 20010802232742.A15554@crdic.ath.cx>
In-reply-to: <[🔎] 20010802220856.E2618@navel.introspect>
References: <[🔎] 3.0.5.32.20010803145401.03969620@mailhost.capmon.com> <[🔎] 20010802220856.E2618@navel.introspect>

Karsten M. Self wrote:

> Hmmm:
> 
>     grep 'default\.ida' /var/log/apache/access.log | awk '{print $1}' 
> 
> ...gives a hostlist.  Anyone know of a central repository who might be
> collecting same and sending LARTs to the appropriate sysops?  Or is that
> a complete !@#$%^&*() waste of time?  Any way to test an IP to see if
> it's been compromised?

If it's sending you HTTP GET /default.ida?NNNNNNNNNNN..., then it's
definitely compromised. Other than that, I don't think so.

> I'm running 'host' against a bunch of IPs (I've got about 40), turning
> up a bunch of '<ip> does not exist' responses.

Many of them are DHCP addresses (dialup or PPPOE), so they'll come and
go, and the machine that has the address now may not be the one that
tried to infect you an hour ago.

Last month, I checked a dozen or so machines that tried to attack me.
Some of them were actual business web sites. This time, they seem to be
almost all end-user cable/DSL/dialup systems (to judge from their domain
names), none of which seem to reply with anything useful if you send
them a "GET /". My guess is these are default Windows NT installations
where the user doesn't even know he has IIS running.

Craig

Reply to:

References:
- code red goes on
  - From: John Griffiths <john@capmon.com>
- Re: code red goes on
  - From: "Karsten M. Self" <kmself@ix.netcom.com>

Prev by Date: Re: installing debian, doesnt find scsi controller
Next by Date: Re: fixing a debian system: which RTFM to start?
Previous by thread: Re: code red goes on
Next by thread: RE: code red goes on
Index(es):
- Date
- Thread