Differnet results :
bash-2.04$ grep default.ida?NNNNN /var/log/httpd/access_log* | wc -l
157
bash-2.04$ grep default.ida?NNNNN /var/log/httpd/access_log | wc -l
32
Rotated logs, if your server runs a little bit longer ;-)
Michael Jung
> -----Original Message-----
> From: Dan York [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, August 07, 2001 4:48 PM
> To: E-smith developers list
> Subject: [e-smith-devinfo] Differentiating between CodeRed I and II...
>
>
> -----------------------------------
> Before I relay this info, let me just mention again for those who
> may have just joined us... the Code Red I and II worms affect ONLY
> Microsoft IIS servers. The worm does NOT infect the Apache web server
> installed on your e-smith server and gateway. (It may, however, slow
> down your connection with all of its connection attempts... depending
> on what type of connection you have.)
> -----------------------------------
>
> FYI, the BUGTRAQ folks have an article that talks about the technical
> differences between the signatures of the original CodeRed worm and
> the new "Code Red II" variant. It is at:
>
> http://archives.neohapsis.com/archives/bugtraq/2001-08/0066.html
>
> As noted, the major difference is that Code Red II uses "X" as a filler
> character instead of the original "N" character. By just modifying
> the grep string, you can see what is attacking you. Here is my home
> (e-smith) server sitting on the end of a cable modem:
>
> bash-2.04$ grep default.ida /var/log/httpd/access_log | wc -l
> 1629
> bash-2.04$ grep default.ida?XXXXX /var/log/httpd/access_log | wc -l
> 1594
> bash-2.04$ grep default.ida?NNNNN /var/log/httpd/access_log | wc -l
> 35
>
> So I have had 1629 infection attempts, 1594 of which are Code Red II and
> 35 of which are the original Code Red. This is for a log file that
> started at 4am on August 5th, just a little over two days ago. Note that
> Code Red II is now VERY nasty:
>
> http://www.incidents.org/react/code_redII.php
>
> It installs a trojan version of Windows explorer and does other things
> to basically leave a Windows system wide open to be exploited at a later
> time. It also uses a better random number generator for IP
> addresses, so it
> is attacking a larger target range than the original Code Red. My
> personal thought is that this one is going to hit a whole lot of home
> users hardest of all. (Many of whom may not realize that they are running
> a web server, and therefore have not patched it.)
>
> As another note, I do not actually use my web server on my e-smith box
> for any web publishing, so *no one* should be visiting my box and
> the result
> is that the only thing going into my access logs is Code Red infection
> attempts! Because Code Red is the only traffic, I ran this command in a
> window to sit and watch the traffic:
>
> tail -f /var/log/httpd/access_log
>
> In the time it has taken me to write this message, I have seen 8 or 9 more
> connection attempts from various IP addresses, so it is very much
> out there
> attacking systems. Let us hope that more and more IIS systems
> will be patched
> (or people will switch to other web servers) so that this thing goes away.
>
> Regards,
> Dan
>
> --
> Dan York, Director of Training [EMAIL PROTECTED]
> Ph: +1-613-751-4401 Mobile: +1-613-263-4312 Fax: +1-613-564-7739
> Mitel Network Corporation Network Server Solutions Group
> 150 Metcalfe St., Suite 1500, Ottawa,ON K2P 1P1 Canada
> http://www.e-smith.com/ open source, open mind
>
> --
> Please report bugs to [EMAIL PROTECTED]
> Please mail [EMAIL PROTECTED] (only) to discuss security issues
> Support for registered customers and partners to [EMAIL PROTECTED]
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> Archives by mail and
http://www.mail-archive.com/devinfo%40lists.e-smith.org
--
Please report bugs to [EMAIL PROTECTED]
Please mail [EMAIL PROTECTED] (only) to discuss security issues
Support for registered customers and partners to [EMAIL PROTECTED]
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
