We setup a crontab on our webserver machine, similar to "cat httpd.access_log | grep default.ida > ida_fools.txt" its up since Aug, 2 2001 and the output file's got quite some lines in it: indigo:/usr/local/httpd/htdocs # cat ida_fools.txt | wc -l 4125 indigo:/usr/local/httpd/htdocs # Cheers :) Chr. Burri .-. /v\ L I N U X // \\ >I know Kung Fu!< /( )\ ^^-^^
Hi, On Tuesday 07 August 2001 11:44, christian.burri@synecta.ch wrote:
We setup a crontab on our webserver machine, similar to "cat httpd.access_log | grep default.ida > ida_fools.txt" its up since Aug, 2 2001 and the output file's got quite some lines in it: ... Cheers :) Chr. Burri
Other than merely collecting, you can do better things with these log entries, e.g. grep 'default.ida' httpd.access_log | mail -s 'APACHE' redalert@dshield.org (see www.dshield.org/codered.html). They collect Code Red logs and notify domain admins of infected machines. If you don't know what to do with your firewall, portsentry or whatever log files, www.dshield.org is a good address to send them to. Don't forget to read the "How to submit reports" section, though. Regards, Martin -- Martin Leweling Institut fuer Planetologie, WWU Muenster Wilhelm-Klemm-Str. 10, 48149 Muenster, Germany
Hi,
I wonder about one thing - I tried to open a lot of infected machines on port 80 but there are no web server at all - connection was refused, why is it?
Sincerely,
Dmitriy Melihov
On Tue, 7 Aug 2001 13:47:05 +0200
Martin Leweling
Hi,
On Tuesday 07 August 2001 11:44, christian.burri@synecta.ch wrote:
We setup a crontab on our webserver machine, similar to "cat httpd.access_log | grep default.ida > ida_fools.txt" its up since Aug, 2 2001 and the output file's got quite some lines in it: ... Cheers :) Chr. Burri
Other than merely collecting, you can do better things with these log entries, e.g. grep 'default.ida' httpd.access_log | mail -s 'APACHE' redalert@dshield.org (see www.dshield.org/codered.html).
They collect Code Red logs and notify domain admins of infected machines.
If you don't know what to do with your firewall, portsentry or whatever log files, www.dshield.org is a good address to send them to. Don't forget to read the "How to submit reports" section, though.
Regards, Martin -- Martin Leweling Institut fuer Planetologie, WWU Muenster Wilhelm-Klemm-Str. 10, 48149 Muenster, Germany
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
[Joke] Can someone please change the code-red to a useful worm. i.E. Try to infect IIS systems like the original one, but install the necessary patch instead of D DoS Attacks or Backdoors. :-) [/Joke]
participants (4)
-
christian.burri@synecta.ch
-
Dmitriy Melihov
-
Martin Leweling
-
Michael Horst