Re: code red goes on

[ktb <ktb@nixnotes.org>]

On Thu, Aug 02, 2001 at 10:08:56PM -0700, Karsten M. Self wrote:
> on Fri, Aug 03, 2001 at 02:54:01PM +0000, John Griffiths (john@capmon.com) wrote:
> > if you grep your http access log for "default.ida" (good sign of a
> > code red attempt on an apache box)
> > 
> > you'll see that code red has infected as many new machines in the alst
> > two days as it did on 20 July
> 
> Hmmm:
> 
>     grep 'default\.ida' /var/log/apache/access.log | awk '{print $1}' 
> 
> ...gives a hostlist.  Anyone know of a central repository who might be
> collecting same and sending LARTs to the appropriate sysops?  Or is that
> a complete !@#$%^&*() waste of time?  Any way to test an IP to see if
> it's been compromised?
> 

 From what little I have read about it the site in question is defaced
if it is a page containing English.  I'm sure someone who has payed more
attention could list exactly what it does.  Out of 38 sites I checked I
only saw one that had been defaced.  Close to about half the sites I
visited were non-English sites.  I checked them with -

$ for i in $(grep default /var/log/apache/access.log | awk '{print $1}');do
> lynx $i
> sleep 5  # in order to catch the ip
> done

I don't know if that is along the lines you were thinking but...
Many of the sites were "under construction."
kent

-- 
 From seeing and seeing the seeing has become so exhausted
     First line of "The Panther" - R. M. Rilke