Differnet results : bash-2.04$ grep default.ida?NNNNN /var/log/httpd/access_log* | wc -l 157 bash-2.04$ grep default.ida?NNNNN /var/log/httpd/access_log | wc -l 32 Rotated logs, if your server runs a little bit longer ;-) Michael Jung > -----Original Message----- > From: Dan York [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, August 07, 2001 4:48 PM > To: E-smith developers list > Subject: [e-smith-devinfo] Differentiating between CodeRed I and II... > > > ----------------------------------- > Before I relay this info, let me just mention again for those who > may have just joined us... the Code Red I and II worms affect ONLY > Microsoft IIS servers. The worm does NOT infect the Apache web server > installed on your e-smith server and gateway. (It may, however, slow > down your connection with all of its connection attempts... depending > on what type of connection you have.) > ----------------------------------- > > FYI, the BUGTRAQ folks have an article that talks about the technical > differences between the signatures of the original CodeRed worm and > the new "Code Red II" variant. It is at: > > http://archives.neohapsis.com/archives/bugtraq/2001-08/0066.html > > As noted, the major difference is that Code Red II uses "X" as a filler > character instead of the original "N" character. By just modifying > the grep string, you can see what is attacking you. Here is my home > (e-smith) server sitting on the end of a cable modem: > > bash-2.04$ grep default.ida /var/log/httpd/access_log | wc -l > 1629 > bash-2.04$ grep default.ida?XXXXX /var/log/httpd/access_log | wc -l > 1594 > bash-2.04$ grep default.ida?NNNNN /var/log/httpd/access_log | wc -l > 35 > > So I have had 1629 infection attempts, 1594 of which are Code Red II and > 35 of which are the original Code Red. This is for a log file that > started at 4am on August 5th, just a little over two days ago. Note that > Code Red II is now VERY nasty: > > http://www.incidents.org/react/code_redII.php > > It installs a trojan version of Windows explorer and does other things > to basically leave a Windows system wide open to be exploited at a later > time. It also uses a better random number generator for IP > addresses, so it > is attacking a larger target range than the original Code Red. My > personal thought is that this one is going to hit a whole lot of home > users hardest of all. (Many of whom may not realize that they are running > a web server, and therefore have not patched it.) > > As another note, I do not actually use my web server on my e-smith box > for any web publishing, so *no one* should be visiting my box and > the result > is that the only thing going into my access logs is Code Red infection > attempts! Because Code Red is the only traffic, I ran this command in a > window to sit and watch the traffic: > > tail -f /var/log/httpd/access_log > > In the time it has taken me to write this message, I have seen 8 or 9 more > connection attempts from various IP addresses, so it is very much > out there > attacking systems. Let us hope that more and more IIS systems > will be patched > (or people will switch to other web servers) so that this thing goes away. > > Regards, > Dan > > -- > Dan York, Director of Training [EMAIL PROTECTED] > Ph: +1-613-751-4401 Mobile: +1-613-263-4312 Fax: +1-613-564-7739 > Mitel Network Corporation Network Server Solutions Group > 150 Metcalfe St., Suite 1500, Ottawa,ON K2P 1P1 Canada > http://www.e-smith.com/ open source, open mind > > -- > Please report bugs to [EMAIL PROTECTED] > Please mail [EMAIL PROTECTED] (only) to discuss security issues > Support for registered customers and partners to [EMAIL PROTECTED] > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org