 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
-------- Well, what I'd do is look in apache's access_log file, where for example I find a line that starts: 207.172.11.232 - - [04/Aug/2001:20:11:27 -0400] "GET /default.ida?XXXXXXXXXXXXXX... This tells me the IP address that the attack came from, and the precise time. A script could look up the address, though it need not, since you can use IP addresses in email addresses with most unix-type mailers. You'd try to send a message to postmaster at 207.172.11.232 and/or webmaster at 207.172.11.232 first. If those fail, you'd try postmaster at 207.172.11.1 and webmaster at 207.172.11.1, which is almost always a locally important machine. You'd also want to have the script leave a record of where it has sent messages, so you don't harrass them too often. Part of the job is already half done, since I have a mail delivery program in perl, which I wrote so that I could get good information about how some email was failing. I learned a few things about what passes for SMTP servers these days, of course. It already knows how to make a series of reasonable probes for alternatives if a first attempt fails, so adding a few more things like this would be pretty easy. All I really need is a wrapper around it that extracts lines from the apache log and generates a short message explaining what happened. Maybe I'll try it and see if I get any interesting replies. The biggest problem is that the culprits are mostly MS systems, and a lot of them probably lack postmaster and webmaster pseudo-users. I wonder what would be some other good guesses for names? | That's a good idea! Any thoughts on how you would do it? | | At 12:23 PM 8/4/01 +0000, you wrote: | >-------- | > | >| I'm pretty sure that the .ida files are an IIS thing. But I'm not 100% | >| sure. I try to stay away from IIS whenever possible. :-) | > | >OTOH, I'm tempted to write a default.ida script that sends a message | >to the postmaster and webmaster at the source machine, informing them | >that someone (possibly Code Red) is staging an attack from their | >machine. This might help convince some of them that they have a | >problem, and we know who they are. | | Drew Taylor | mailto:drew at drewtaylor.com | http://www.drewtaylor.com/ | - Subcription/unsubscription/info requests: send e-mail with "subscribe", "unsubscribe", or "info" on the first line of the message body to discuss-request at blu.org (Subject line is ignored).
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
