On Thu, Aug 02, 2001 at 10:08:56PM -0700, Karsten M. Self wrote: > on Fri, Aug 03, 2001 at 02:54:01PM +0000, John Griffiths ([EMAIL PROTECTED]) > wrote: > > if you grep your http access log for "default.ida" (good sign of a > > code red attempt on an apache box) > > > > you'll see that code red has infected as many new machines in the alst > > two days as it did on 20 July > > Hmmm: > > grep 'default\.ida' /var/log/apache/access.log | awk '{print $1}' > > ...gives a hostlist. Anyone know of a central repository who might be > collecting same and sending LARTs to the appropriate sysops? Or is that > a complete [EMAIL PROTECTED]&*() waste of time? Any way to test an IP to see > if > it's been compromised? >
From what little I have read about it the site in question is defaced if it is a page containing English. I'm sure someone who has payed more attention could list exactly what it does. Out of 38 sites I checked I only saw one that had been defaced. Close to about half the sites I visited were non-English sites. I checked them with - $ for i in $(grep default /var/log/apache/access.log | awk '{print $1}');do > lynx $i > sleep 5 # in order to catch the ip > done I don't know if that is along the lines you were thinking but... Many of the sites were "under construction." kent -- From seeing and seeing the seeing has become so exhausted First line of "The Panther" - R. M. Rilke