Re: code red goes on

To: "Karsten M. Self" <kmself@ix.netcom.com>
Cc: debian-user@lists.debian.org
Subject: Re: code red goes on
From: John Griffiths <john@capmon.com>
Date: Fri, 03 Aug 2001 15:31:41 +0000
Message-id: <[🔎] 3.0.5.32.20010803153141.03963340@mailhost.capmon.com>
In-reply-to: <[🔎] 20010802220856.E2618@navel.introspect>
References: <[🔎] 3.0.5.32.20010803145401.03969620@mailhost.capmon.com> <[🔎] 3.0.5.32.20010803145401.03969620@mailhost.capmon.com>

At 10:08 PM 8/2/01 -0700, Karsten M. Self wrote:
>on Fri, Aug 03, 2001 at 02:54:01PM +0000, John Griffiths (john@capmon.com) wrote:
>> if you grep your http access log for "default.ida" (good sign of a
>> code red attempt on an apache box)
>> 
>> you'll see that code red has infected as many new machines in the alst
>> two days as it did on 20 July
>
>Hmmm:
>
>    grep 'default\.ida' /var/log/apache/access.log | awk '{print $1}' 
>
>...gives a hostlist.  Anyone know of a central repository who might be
>collecting same and sending LARTs to the appropriate sysops?  Or is that
>a complete !@#$%^&*() waste of time?  Any way to test an IP to see if
>it's been compromised?
>
>...or a good way to grab the relevant data and mail your own report?
>
>I'm running 'host' against a bunch of IPs (I've got about 40), turning
>up a bunch of '<ip> does not exist' responses.
>

You'll find a lot of them are folks on dial-up boxes that proabably don't even know they've got a web-server.

Reply to:

References:
- code red goes on
  - From: John Griffiths <john@capmon.com>
- Re: code red goes on
  - From: "Karsten M. Self" <kmself@ix.netcom.com>

Prev by Date: Re: code red goes on
Next by Date: Where to go from here
Previous by thread: Re: code red goes on
Next by thread: Re: code red goes on
Index(es):
- Date
- Thread