Karsten M. Self wrote: > Hmmm: > > grep 'default\.ida' /var/log/apache/access.log | awk '{print $1}' > > ...gives a hostlist. Anyone know of a central repository who might be > collecting same and sending LARTs to the appropriate sysops? Or is that > a complete [EMAIL PROTECTED]&*() waste of time? Any way to test an IP to see > if > it's been compromised?
If it's sending you HTTP GET /default.ida?NNNNNNNNNNN..., then it's definitely compromised. Other than that, I don't think so. > I'm running 'host' against a bunch of IPs (I've got about 40), turning > up a bunch of '<ip> does not exist' responses. Many of them are DHCP addresses (dialup or PPPOE), so they'll come and go, and the machine that has the address now may not be the one that tried to infect you an hour ago. Last month, I checked a dozen or so machines that tried to attack me. Some of them were actual business web sites. This time, they seem to be almost all end-user cable/DSL/dialup systems (to judge from their domain names), none of which seem to reply with anything useful if you send them a "GET /". My guess is these are default Windows NT installations where the user doesn't even know he has IIS running. Craig