RE: code red goes on
I have noticed a new entry in the apache access logs as follows. Also the CR2 accesses have dropped off to almost zero. 210.204.88.105 - - [09/Aug/2001:14:54:44 +1000] "-" 408 - 210.72.200.39 - - [09/Aug/2001:15:04:31 +1000] "-" 408 - 210.182.140.14 - - [09/Aug/2001:15:05:15 +1000] "-" 408 - 210.108.205.221 - - [09/Aug/2001:15:05:41 +1000] "-" 408 - 211.231.18.226 - - [09/Aug/2001:15:13:52 +1000] "-" 408 - 210.206.208.230 - - [09/Aug/2001:15:19:26 +1000] "-" 408 - 210.181.87.251 - - [09/Aug/2001:15:25:02 +1000] "-" 408 - 210.188.229.52 - - [09/Aug/2001:15:39:31 +1000] "-" 408 - 210.119.76.150 - - [09/Aug/2001:15:42:55 +1000] "-" 408 - 210.107.62.166 - - [09/Aug/2001:15:48:55 +1000] "-" 408 - 210.104.77.1 - - [09/Aug/2001:15:51:52 +1000] "-" 408 - Anyone else have this ? Ian
Re: code red goes on
On Mon, Aug 06, 2001 at 09:32:33AM +, John Griffiths wrote: > Code Reds Mark II and III have already been identified, Where can I find information on CR3? -- With the arrest of Dimitry Sklyarov it has become apparent that it is not safe for non US software engineers to visit the United States. - Alan Cox "To prevent unauthorized reading..." - Adobe eBook reader license
Re: code red goes on
On Mon, Aug 06, 2001 at 12:43:57PM -0600, John Galt wrote: > CR2 is actually seeming to have a twist in it's IP picker that weights it > to the subnets where cable/dsl users are the rule. According to incidents.org, the weighting is actually set up to favor the local subnets. It only pounds cable/dsl when that's what's already infected. Full details at: http://www.incidents.org/react/code_redII.php -- With the arrest of Dimitry Sklyarov it has become apparent that it is not safe for non US software engineers to visit the United States. - Alan Cox "To prevent unauthorized reading..." - Adobe eBook reader license
RE: code red goes on
I just had a look at another site I look after. It appears from the apache logs that Code Red has not hitting there since 5th August, yet web requests are getting through. It is being filterred ate the ISP level. Ian
Re: code red goes on
On Mon, 6 Aug 2001, Chris Niekel wrote: >On Sun, Aug 05, 2001 at 07:02:35PM -0600, John Galt wrote: >> [...] >> CodeRed2. Nastier: it also copies cmd.exe to root.exe, and installs a >> pseudo-r00tkit. If the IIS admins didn't learn the first time, they got >> screwed hardcore the second. Not even a reacharound this time. > >I get hit every 2 minutes. And apparently lots of computers are now >advertising that they can be remotely controlled. Wouldn't it be nice if >there were some 'hack' to send to such a server so that it gets fixed. >I've got a list of hundreds of ip's of IIS-servers almost begging for an >antidote! Telnet to port 80 of the affected server. You'll get a rootshell, add the file C:\noworm. This will (hopefully, I'm using CR's fix on CR2's rootshell) prevent it from broadcasting all the junk. >My stats for today (20 hours): 601 CodeRed2's, 8 CodeRed1's. With my >cablemodem it looks like my whole country is infected. Although it's >only 268 unique ip's. CodeRed2 attempts to spread a lot more than 1. CR2 is actually seeming to have a twist in it's IP picker that weights it to the subnets where cable/dsl users are the rule. >Well, better start ignoring the output. > >Greetings, >Chris Niekel > > -- Sacred cows make the best burgers Who is John Galt? [EMAIL PROTECTED], that's who!!!
Re: code red goes on
On Sun, Aug 05, 2001 at 07:02:35PM -0600, John Galt wrote: > [...] > CodeRed2. Nastier: it also copies cmd.exe to root.exe, and installs a > pseudo-r00tkit. If the IIS admins didn't learn the first time, they got > screwed hardcore the second. Not even a reacharound this time. I get hit every 2 minutes. And apparently lots of computers are now advertising that they can be remotely controlled. Wouldn't it be nice if there were some 'hack' to send to such a server so that it gets fixed. I've got a list of hundreds of ip's of IIS-servers almost begging for an antidote! My stats for today (20 hours): 601 CodeRed2's, 8 CodeRed1's. With my cablemodem it looks like my whole country is infected. Although it's only 268 unique ip's. CodeRed2 attempts to spread a lot more than 1. Well, better start ignoring the output. Greetings, Chris Niekel -- Geek code version 3.1: GCS d- s++: a- C++$ ULSI++ P+(---) L+++> E--- W++ N++ o K? w--- O M- V?>-- PS+ PE-() Y PGP+ t+>+++ 5? X- !R tv+ b DI++ D+ G>++ e+++ h--- r+++ y
RE: code red goes on
> >There has definately been a change in the original form of the attacks from ># GET /default.ida?N -snip- NN%u9090% -snip- 0%u00=a HTTP/1.0 >to ># GET /default.ida?X -snip- XX%u9090% -snip- 0%u00=a HTTP/1.0 >The second packet is also much shorter (with less X's), although the tail is >the same. > >The increase in traffic over the last few days has been marked. > >Sept -0 hits >1 Aug - 3 hits 0.1 per hr >2 Aug -22 hits 0.9/hr >3 Aug -33 Hits 1.4/hr >4 Aug -41 Hits 1.7/hr >5 Aug -167 Hits6.9/hr >6 Aug -79 Hits 10.0/hr (only 8 hrs of data) > >I can see this is going to be a real problem in the upcoming weeks. > >I have noticed on the end of each access in the log, Apache gives "404 205" >404 I guess means page not found, but on two occassions it looks like >it gave a "200 - ". Strange. I thought a valid access was 200. > >Ian > Code Reds Mark II and III have already been identified, doing much more maicious things and spreading with better randomisation Hopefully a "cheese worm" equivalent will be relased to stomp on this before we get to 20 Jul and the biggest DDoS in hiustory kicks off.
Re: code red goes on
after reading that "apparently" the latest code red attacks are coming from unsuspecting users of that utimate computer virus, i decided to scan the access log file and send messages to the "best guess" person at the owner of the ip address (usually a dial-up provider). i modified the script by "Karsten M. Self" and then input the output to a perl script to send to the appropriate person. first, the modified command from karsten: #!/bin/sh # code.red.sh for i in $(grep 'default\.ida' $1 | awk '{print $1}') do a=\(.*\)$i\(.*\)default\.ida a=`grep -E $a $1 | sed -e 's/\(.*\)?.[NX].*/\1/' | awk '{print $1, $4, $5, $6, $7}'` b=`dig -x $i a | grep 'IN SOA' | awk '{print $6}'` echo $b $a done this created a line like dns.deltacom.net. 209.192.99.162 [02/Aug/2001:18:23:22 -0700] "GET /default.ida given that the dns records aren't consistent from site to site, the contact name may require more search with "dig -x ip a", dig -x ip soa", dig -x ip", and whois. (out of the 79 code red hits i have gotten this month, 10 had no soa records of any kind, which strikes me as odd!). after manually checking the records (whilst changing the leading period to a '@' and removing the trailing period in the contact name (i.e., dns.deltacom.net. -> [EMAIL PROTECTED]) i then ran the following program which uses the above information: #!/usr/bin/perl #codred.pl use IO::File ; use POSIX qw( tmpnam ) ; $targetFile = virushosts.sorted ; open( INPUT , "<$targetFile" ) or die "Unable to open $targetFile for reading: $! \n" ; $subject = "Code Red Virus Abuse" ; $text = "Subject: $subject\n\nThe following record snippet was detected in our web server logs. It would\nappear that one of your dial-up users has been infected with the code red virus\nand has not taken the appropriate actions to eliminate the problem. Please take\nthe appropriate action to notify alert the user to this breach of acceptible\nbehavior in the internet community.\n\n" ; $salutation="\n\n--\nRegards\n" ; $program= "send" ; $from="\@" ; $bcc="\@" ; while () { chomp ; @a=split ' ' ; $log="" ; $recipient=$a[0] ; for ($i=1;$i<=$#a;$i++) { $log=$log.$a[$i]." "; } $message="To: $recipient\nCc: $from\nBcc: $bcc\n".$text.$log.$salutation ; do { $name = tmpnam() } until $fh = IO::File->new( $name , O_RDWR | O_CREAT | O_EXCL ) ; END { unlink( $name ) or die "Unable to unlink $name: $!\n" ; } print $fh $message ; $fh->close ; $command= $program." ".$name ; print "Send to $recipient\n" ; system( $command ) ; unlink $tmpfile ; } close( INPUT ) ; exit ; you will need to change the lines with , , and as appropriate. this will send out an email to the contact of the ip owner, cc'ing your abuse email contact, and bcc'ing a copy to the user in the bcc field. NOTE: the from field will contain the email address of the user running the program, not the abuse email address (unless they happen to be the same.) sequence of commands: cd /usr/local/apache/logs ./code.red.sh access_log > virushosts sort -o virushosts.sorted virushosts vi virushosts.sorted #making changes noted above under code.red.sh ./codered.pl -- regards, allen wayne best, esq "your friendly neighborhood rambler owner" "my rambler will go from 0 to 105" Current date: 0:36:12::216:2001 "Is this foreplay?" "No, this is Nuke Strike. Foreplay has lousy graphics. Beat me again." -- Duckert, in "Bad Rubber," Albedo #0 (comics)
RE: code red goes on
> -Original Message- > From: Alan Shutko [mailto:[EMAIL PROTECTED] > Sent: Friday, August 03, 2001 11:18 PM > To: debian-user@lists.debian.org > Subject: Re: code red goes on > > > "Karsten M. Self" writes: > > > Anyone noting trends between 7/20 and 8/2? I've got 30 v. 49, > > respectively. Looks like this is actually the bigger attack. > > http://www.incidents.org says that we've already gotten more infected > machines than July 20th, although probes seem to have leveled off. > > I've heard that this is a slight change on the original code red which > seeds the RNG used to pick hosts to try, and it's thus hitting lots of > hosts which weren't in the first round. > There has definately been a change in the original form of the attacks from # GET /default.ida?N -snip- NN%u9090% -snip- 0%u00=a HTTP/1.0 to # GET /default.ida?X -snip- XX%u9090% -snip- 0%u00=a HTTP/1.0 The second packet is also much shorter (with less X's), although the tail is the same. The increase in traffic over the last few days has been marked. Sept - 0 hits 1 Aug - 3 hits 0.1 per hr 2 Aug - 22 hits 0.9/hr 3 Aug - 33 Hits 1.4/hr 4 Aug - 41 Hits 1.7/hr 5 Aug - 167 Hits6.9/hr 6 Aug - 79 Hits 10.0/hr (only 8 hrs of data) I can see this is going to be a real problem in the upcoming weeks. I have noticed on the end of each access in the log, Apache gives "404 205" 404 I guess means page not found, but on two occassions it looks like it gave a "200 - ". Strange. I thought a valid access was 200. Ian
Re: code red goes on
At 05:51 PM 8/5/01 -0700, Karsten M. Self wrote: >on Mon, Aug 06, 2001 at 09:32:33AM +, John Griffiths ([EMAIL PROTECTED]) >wrote: > >> Code Reds Mark II and III have already been identified, doing much >> more maicious things and spreading with better randomisation >> >> Hopefully a "cheese worm" equivalent will be relased to stomp on this >> before we get to 20 Jul and the biggest DDoS in hiustory kicks off. > >348 days and counting ;-) > >(or did he really mean 20 *Aug*, 2001). > ho ho yes indeed, 20th day of the month for CRv1v I should have said v's 2 & 3 might do something else entirely (they seem to plant more sophisticated trojans)
RE: code red goes on
On Mon, 6 Aug 2001, Ian Perry wrote: > > >> -Original Message- >> From: Alan Shutko [mailto:[EMAIL PROTECTED] >> Sent: Friday, August 03, 2001 11:18 PM >> To: debian-user@lists.debian.org >> Subject: Re: code red goes on >> >> >> "Karsten M. Self" writes: >> >> > Anyone noting trends between 7/20 and 8/2? I've got 30 v. 49, >> > respectively. Looks like this is actually the bigger attack. >> >> http://www.incidents.org says that we've already gotten more infected >> machines than July 20th, although probes seem to have leveled off. >> >> I've heard that this is a slight change on the original code red which >> seeds the RNG used to pick hosts to try, and it's thus hitting lots of >> hosts which weren't in the first round. >> > >There has definately been a change in the original form of the attacks from ># GET /default.ida?N -snip- NN%u9090% -snip- 0%u00=a HTTP/1.0 normal CodeRed >to ># GET /default.ida?X -snip- XX%u9090% -snip- 0%u00=a HTTP/1.0 CodeRed2. Nastier: it also copies cmd.exe to root.exe, and installs a pseudo-r00tkit. If the IIS admins didn't learn the first time, they got screwed hardcore the second. Not even a reacharound this time. >The second packet is also much shorter (with less X's), although the tail is >the same. > >The increase in traffic over the last few days has been marked. > >Sept -0 hits >1 Aug - 3 hits 0.1 per hr >2 Aug -22 hits 0.9/hr >3 Aug -33 Hits 1.4/hr >4 Aug -41 Hits 1.7/hr >5 Aug -167 Hits6.9/hr >6 Aug -79 Hits 10.0/hr (only 8 hrs of data) > >I can see this is going to be a real problem in the upcoming weeks. > >I have noticed on the end of each access in the log, Apache gives "404 205" >404 I guess means page not found, but on two occassions it looks like >it gave a "200 - ". Strange. I thought a valid access was 200. > >Ian > > > > > > > -- Sacred cows make the best burgers Who is John Galt? [EMAIL PROTECTED], that's who!!!
Re: code red goes on
on Mon, Aug 06, 2001 at 09:32:33AM +, John Griffiths ([EMAIL PROTECTED]) wrote: > Code Reds Mark II and III have already been identified, doing much > more maicious things and spreading with better randomisation > > Hopefully a "cheese worm" equivalent will be relased to stomp on this > before we get to 20 Jul and the biggest DDoS in hiustory kicks off. 348 days and counting ;-) (or did he really mean 20 *Aug*, 2001). -- Karsten M. Self http://kmself.home.netcom.com/ What part of "Gestalt" don't you understand? There is no K5 cabal http://gestalt-system.sourceforge.net/ http://www.kuro5hin.org Free Dmitry! Boycott Adobe! Repeal the DMCA!http://www.freesklyarov.org Geek for Hirehttp://kmself.home.netcom.com/resume.html pgpWnqZPWHvgF.pgp Description: PGP signature
Re: code red goes on
On Fri, Aug 03, 2001 at 12:29:05AM -0500, ktb wrote: > From what little I have read about it the site in question is defaced > if it is a page containing English. I'm sure someone who has payed more > attention could list exactly what it does. After infecting a system with U.S. English as the default language, one of the code red threads will go dormant for 2 hours, insert a handler which causes any requested URI to return the 'hacked by Chinese' page, wait 10 hours, and remove the handler. Thus, you will only see defacement on machines that have been infected for more than 2 and less than 12 hours. -- With the arrest of Dimitry Sklyarov it has become apparent that it is not safe for non US software engineers to visit the United States. - Alan Cox "To prevent unauthorized reading..." - Adobe eBook reader license
Re: code red goes on
On Fri, Aug 03, 2001 at 05:30:12PM +, John Griffiths wrote: > on the 20th of the months the infected machines are all going to launch a > denial of service attack at a web-server somewhere (last time was the IP > address of the whitehouse but that mor, or may not, have changed) I have it from a reliable source in the local LUG that one strain of code red (and, based on his observations, it's the strain which is currently most active) has been modified to DOS 255.255.255.255. Flooding the broadcast address seems like something which could easily take a network segment down... -- With the arrest of Dimitry Sklyarov it has become apparent that it is not safe for non US software engineers to visit the United States. - Alan Cox "To prevent unauthorized reading..." - Adobe eBook reader license
Re: code red goes on
Thanks for the responses... Hehehe... I changed an NT 4.0 Server to a REAL server about 2 months ago... (Potato r3) ... put in apache, samba etc. I think it was using MS II...(is that what NT uses?) I'm not sure though... I know very little about NT... I guess thats why I changed it to something I'm more comfortable with. Anyway PHEW!! Quoting Dave Carrigan <[EMAIL PROTECTED]>: > Mike Egglestone <[EMAIL PROTECTED]> writes: > > > I grepped my access logs and noticed the "default.ida? etc etc.. > > > > What does this mean? > > Have I been attacked? or was it an attemped attack? > > You were attacked. Unless you are running an unpatched MS IIS server, > you did not succumb, so you don't need to take further action. > > -- > Dave Carrigan ([EMAIL PROTECTED])| Yow! An INK-LING? Sure -- > TAKE > UNIX-Apache-Perl-Linux-Firewalls-LDAP-C-DNS | one!! Did you BUY any > COMMUNIST > Seattle, WA, USA| UNIFORMS?? > http://www.rudedog.org/ | > ~~Bill, Bill who?~~
Re: code red goes on
"Karsten M. Self" writes: > Anyone noting trends between 7/20 and 8/2? I've got 30 v. 49, > respectively. Looks like this is actually the bigger attack. http://www.incidents.org says that we've already gotten more infected machines than July 20th, although probes seem to have leveled off. I've heard that this is a slight change on the original code red which seeds the RNG used to pick hosts to try, and it's thus hitting lots of hosts which weren't in the first round. -- Alan Shutko <[EMAIL PROTECTED]> - In a variety of flavors! In a bottle, the neck is always at the top.
Re: code red goes on
At 12:27 AM 8/3/01 -0700, Mike Egglestone wrote: >Hi.. > >I grepped my access logs and noticed the "default.ida? etc etc.. > >What does this mean? >Have I been attacked? or was it an attemped attack? > >What exactly does the virus do to the system? > >Thanks >Mike > If your run unpatched MS webservers u've been attacked if not you're just watching an attack rush past on it's way somewhere else. on the 20th of the months the infected machines are all going to launch a denial of service attack at a web-server somewhere (last time was the IP address of the whitehouse but that mor, or may not, have changed) not much you can do but if u track the hits you can tell for yourself where the worm is at. http://www.theregister.co.uk/content/56/20749.html for good coverage
Re: code red goes on
Hi.. I grepped my access logs and noticed the "default.ida? etc etc.. What does this mean? Have I been attacked? or was it an attemped attack? What exactly does the virus do to the system? Thanks Mike Quoting Matthias Richter <[EMAIL PROTECTED]>: > ktb wrote on Fri Aug 03, 2001 at 12:29:05AM: > > On Thu, Aug 02, 2001 at 10:08:56PM -0700, Karsten M. Self wrote: > > > ...gives a hostlist. Anyone know of a central repository who might > be > > > collecting same and sending LARTs to the appropriate sysops? > > http://www.dshield.org/codered.html> are collecting. You only have > to: > grep 'default.ida?N' access_log | mail -s 'APACHE' > [EMAIL PROTECTED] > > As someone already mentioned, many boxes seem to be dialup-boxes... > > Matthias > -- > Matthias Richter --+- stud. soz. & inf. -+-- http://www.uni-leipzig.de > -->GPG Public Key: http://www.matthias-richter.de/gpg.ascii<-- > > · Projekt Deutscher Wortschatz: http://wortschatz.uni-leipzig.de> > ~~Bill, Bill who?~~
Re: code red goes on
ktb wrote on Fri Aug 03, 2001 at 12:29:05AM: > On Thu, Aug 02, 2001 at 10:08:56PM -0700, Karsten M. Self wrote: > > ...gives a hostlist. Anyone know of a central repository who might be > > collecting same and sending LARTs to the appropriate sysops? http://www.dshield.org/codered.html> are collecting. You only have to: grep 'default.ida?N' access_log | mail -s 'APACHE' [EMAIL PROTECTED] As someone already mentioned, many boxes seem to be dialup-boxes... Matthias -- Matthias Richter --+- stud. soz. & inf. -+-- http://www.uni-leipzig.de -->GPG Public Key: http://www.matthias-richter.de/gpg.ascii<-- · Projekt Deutscher Wortschatz: http://wortschatz.uni-leipzig.de> pgpjgGGSG5Rc9.pgp Description: PGP signature
Re: code red goes on
Karsten M. Self wrote: > Hmmm: > > grep 'default\.ida' /var/log/apache/access.log | awk '{print $1}' > > ...gives a hostlist. Anyone know of a central repository who might be > collecting same and sending LARTs to the appropriate sysops? Or is that > a complete [EMAIL PROTECTED]&*() waste of time? Any way to test an IP to see > if > it's been compromised? If it's sending you HTTP GET /default.ida?NNN..., then it's definitely compromised. Other than that, I don't think so. > I'm running 'host' against a bunch of IPs (I've got about 40), turning > up a bunch of ' does not exist' responses. Many of them are DHCP addresses (dialup or PPPOE), so they'll come and go, and the machine that has the address now may not be the one that tried to infect you an hour ago. Last month, I checked a dozen or so machines that tried to attack me. Some of them were actual business web sites. This time, they seem to be almost all end-user cable/DSL/dialup systems (to judge from their domain names), none of which seem to reply with anything useful if you send them a "GET /". My guess is these are default Windows NT installations where the user doesn't even know he has IIS running. Craig
Re: code red goes on
>> > >> > >> > if you grep your http access log for "default.ida" (good sign >> > of a code red attempt on an apache box) >> > >> > you'll see that code red has infected as many new machines in >> > the alst two days as it did on 20 July > >> I have had 47 in the last 24 hrs. > >Please use follow-up response. > >Anyone noting trends between 7/20 and 8/2? I've got 30 v. 49, >respectively. Looks like this is actually the bigger attack. > actually i ran http-analyze over a file i grepped out of the log the bug only ran for a few hours in "propogate mode" on the 20th before switching to "attack mode" and went back to propogate 2 days ago (and because propogate is less damaging everyone thought it was gone) and yes a quick look at the graph will tell you it's building into something much bigger than before
Re: code red goes on
on Fri, Aug 03, 2001 at 03:16:00PM +1000, Ian Perry ([EMAIL PROTECTED]) wrote: > > -Original Message- > > From: John Griffiths [mailto:[EMAIL PROTECTED] > > Sent: Saturday, August 04, 2001 12:54 AM > > To: debian-user@lists.debian.org > > Subject: code red goes on > > > > > > if you grep your http access log for "default.ida" (good sign > > of a code red attempt on an apache box) > > > > you'll see that code red has infected as many new machines in > > the alst two days as it did on 20 July > I have had 47 in the last 24 hrs. Please use follow-up response. Anyone noting trends between 7/20 and 8/2? I've got 30 v. 49, respectively. Looks like this is actually the bigger attack. -- Karsten M. Self http://kmself.home.netcom.com/ What part of "Gestalt" don't you understand? There is no K5 cabal http://gestalt-system.sourceforge.net/ http://www.kuro5hin.org Free Dmitry!! Boycott Adobe!! Repeal the DMCA!! http://www.freesklyarov.org pgpMVJyn8josu.pgp Description: PGP signature
Re: code red goes on
At 10:08 PM 8/2/01 -0700, Karsten M. Self wrote: >on Fri, Aug 03, 2001 at 02:54:01PM +, John Griffiths ([EMAIL PROTECTED]) >wrote: >> if you grep your http access log for "default.ida" (good sign of a >> code red attempt on an apache box) >> >> you'll see that code red has infected as many new machines in the alst >> two days as it did on 20 July > >Hmmm: > >grep 'default\.ida' /var/log/apache/access.log | awk '{print $1}' > >...gives a hostlist. Anyone know of a central repository who might be >collecting same and sending LARTs to the appropriate sysops? Or is that >a complete [EMAIL PROTECTED]&*() waste of time? Any way to test an IP to see >if >it's been compromised? > >...or a good way to grab the relevant data and mail your own report? > >I'm running 'host' against a bunch of IPs (I've got about 40), turning >up a bunch of ' does not exist' responses. > You'll find a lot of them are folks on dial-up boxes that proabably don't even know they've got a web-server.
Re: code red goes on
On Thu, Aug 02, 2001 at 10:08:56PM -0700, Karsten M. Self wrote: > on Fri, Aug 03, 2001 at 02:54:01PM +, John Griffiths ([EMAIL PROTECTED]) > wrote: > > if you grep your http access log for "default.ida" (good sign of a > > code red attempt on an apache box) > > > > you'll see that code red has infected as many new machines in the alst > > two days as it did on 20 July > > Hmmm: > > grep 'default\.ida' /var/log/apache/access.log | awk '{print $1}' > > ...gives a hostlist. Anyone know of a central repository who might be > collecting same and sending LARTs to the appropriate sysops? Or is that > a complete [EMAIL PROTECTED]&*() waste of time? Any way to test an IP to see > if > it's been compromised? > From what little I have read about it the site in question is defaced if it is a page containing English. I'm sure someone who has payed more attention could list exactly what it does. Out of 38 sites I checked I only saw one that had been defaced. Close to about half the sites I visited were non-English sites. I checked them with - $ for i in $(grep default /var/log/apache/access.log | awk '{print $1}');do > lynx $i > sleep 5 # in order to catch the ip > done I don't know if that is along the lines you were thinking but... Many of the sites were "under construction." kent -- From seeing and seeing the seeing has become so exhausted First line of "The Panther" - R. M. Rilke
RE: code red goes on
I have had 47 in the last 24 hrs. > -Original Message- > From: John Griffiths [mailto:[EMAIL PROTECTED] > Sent: Saturday, August 04, 2001 12:54 AM > To: debian-user@lists.debian.org > Subject: code red goes on > > > if you grep your http access log for "default.ida" (good sign > of a code red attempt on an apache box) > > you'll see that code red has infected as many new machines in > the alst two days as it did on 20 July > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED]
Re: code red goes on
on Fri, Aug 03, 2001 at 02:54:01PM +, John Griffiths ([EMAIL PROTECTED]) wrote: > if you grep your http access log for "default.ida" (good sign of a > code red attempt on an apache box) > > you'll see that code red has infected as many new machines in the alst > two days as it did on 20 July Hmmm: grep 'default\.ida' /var/log/apache/access.log | awk '{print $1}' ...gives a hostlist. Anyone know of a central repository who might be collecting same and sending LARTs to the appropriate sysops? Or is that a complete [EMAIL PROTECTED]&*() waste of time? Any way to test an IP to see if it's been compromised? ...or a good way to grab the relevant data and mail your own report? I'm running 'host' against a bunch of IPs (I've got about 40), turning up a bunch of ' does not exist' responses. -- Karsten M. Self http://kmself.home.netcom.com/ What part of "Gestalt" don't you understand? There is no K5 cabal http://gestalt-system.sourceforge.net/ http://www.kuro5hin.org Free Dmitry!! Boycott Adobe!! Repeal the DMCA!! http://www.freesklyarov.org pgpDUcFLs0Qf9.pgp Description: PGP signature