At 10:08 PM 8/2/01 -0700, Karsten M. Self wrote: >on Fri, Aug 03, 2001 at 02:54:01PM +0000, John Griffiths ([EMAIL PROTECTED]) >wrote: >> if you grep your http access log for "default.ida" (good sign of a >> code red attempt on an apache box) >> >> you'll see that code red has infected as many new machines in the alst >> two days as it did on 20 July > >Hmmm: > > grep 'default\.ida' /var/log/apache/access.log | awk '{print $1}' > >...gives a hostlist. Anyone know of a central repository who might be >collecting same and sending LARTs to the appropriate sysops? Or is that >a complete [EMAIL PROTECTED]&*() waste of time? Any way to test an IP to see >if >it's been compromised? > >...or a good way to grab the relevant data and mail your own report? > >I'm running 'host' against a bunch of IPs (I've got about 40), turning >up a bunch of '<ip> does not exist' responses. >
You'll find a lot of them are folks on dial-up boxes that proabably don't even know they've got a web-server.