On Wed, 19 Sep 2001 22:22, Roger Wrethman wrote:
I refined the script that was posted earlier. It now reports CODE RED,
NIMDA and all the other hits on the server on the external interface.
I think there's a little bug hidden in there, actually... when counting
servers, you're cutting the
Roger,
I refined the script that was posted earlier. It now reports CODE RED, NIMDA
and all the other hits on the server on the external interface.
Very nice... I put it on my home SME Server and it works well. I had
to make one modification, though:
script
while : ; do
cat
Apache Worm Hits checker updated and available for download. This update
counts totals and has links to detailed virus information (click the
virus name).
http://myezserver.com/downloads/mitel/apache-hits.zip
--
Darrell May
DMC NETSOURCED.COM
http://netsourced.com
http://myEZserver.com
-I input -s $host -j DENY -l
fi
done
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On
Behalf Of Darrell May
Sent: Wednesday, September 19, 2001 12:02 PM
To: E-smith developers list
Subject: Re: [e-smith-devinfo] FYI - new worm appears to be hitting
Microsoft IIS
] FYI - new worm appears to be hitting
Microsoft IIS servers
Dan York [EMAIL PROTECTED] said:
Actually, you may have even more. Someone just pointed out to me that
I should also search for 'root.exe':
Arghh. Ok, updated for root.exe as well
CodeRed = 0
CodeRed II = 248
cmd.exe
PROTECTED]
Sent: Tuesday, September 18, 2001 7:57 PM
Subject: Re: [e-smith-devinfo] FYI - new worm appears to be hitting
Microsoft IIS servers
Dan York [EMAIL PROTECTED] said:
Actually, you may have even more. Someone just pointed out to me that
I should also search for 'root.exe
Dan York [EMAIL PROTECTED] said:
FYI, this does not directly affect any of our (Apache) web servers,
but it is additional traffic hitting all of us and slowing things
down...
Dan, I took my codered.php checker and did a quick update to look for
this as well. New file is named
Darrell,
Dan, I took my codered.php checker and did a quick update to look for
this as well. New file is named apache-hits.php and may be downloaded
from:
Cool. Thanks for doing that.
I've got 2938 total hits in my current log :(
Actually, you may have even more. Someone just pointed
Dan York [EMAIL PROTECTED] said:
Actually, you may have even more. Someone just pointed out to me that
I should also search for 'root.exe':
Arghh. Ok, updated for root.exe as well
CodeRed = 0
CodeRed II = 248
cmd.exe = 3179
root.exe = 477
FYI, incidents.org now has a page up about the worm:
http://www.incidents.org/alert.php
As Blake mentioned, there are reports of IE5 automatically executing this.
(Although it still sounds like a user has to open the attachment.)
Really-glad-not-to-be-using-IE,
Dan
--
Please report bugs to
Darrell May wrote:
http://myezserver.com/downloads/mitel/apache-hits.zip
Very slick--now I can put a code red free message on my home page and
link it to the stats. Thanks! One question, though: why'd you put it
in a .zip file? A .tgz would be much more linux-friendly, if you
The common character string for this worm is 'c_dir'
cat /var/log/httpd/access_log |grep 'cmd.exe' | wc -l
3132
cat /var/log/httpd/access_log |grep 'root.exe' | wc -l
683
cat /var/log/httpd/access_log |grep 'c+dir' | wc -l
3815
3132 + 683 = 3815
BTW, you can produce a sorted IP
What about IE5.5 and IE6? Does anybody know if they are vulnerable yet?
My guess is probably so...
(Is this a plot by Netscape to get back user share? :)
At 02:22 PM 09/18/2001 -0400, Dan York wrote:
FYI, incidents.org now has a page up about the worm:
http://www.incidents.org/alert.php
]
-
- Original Message -
From: Mike Sensney [EMAIL PROTECTED]
To: E-smith developers list [EMAIL PROTECTED]
Sent: Tuesday, September 18, 2001 9:41 PM
Subject: Re: [e-smith-devinfo] FYI - new worm appears to be hitting
Microsoft IIS servers
What about IE5.5 and IE6? Does
On Wed, 19 Sep 2001 03:57, Darrell May wrote:
Actually, you may have even more. Someone just pointed out to me that
I should also search for 'root.exe':
Arghh. Ok, updated for root.exe as well
FYI Darrell, this thing now has a name... see
21:33:12 - I've now been hit 4790 times now from 149 different servers.
I'm now running this rough little script which gives the above output.
It loops about every 10 minutes.
script
while : ; do
cat /var/log/httpd/access_log |grep 'c+dir' tempfile
TIME=`date | cut -f 4 -d `
16 matches
Mail list logo
