 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
If you're running mod_perl on a server, someone put together an Apache handler to log these accesses and sent email to the MX for the host. I had to play with the DNS lookups a little to get things to work properly, but it's working fine now. I modified the Code Red analysis script mentioned on ./ to show the infected hosts attacking me. All the above code is at http://home.drewtaylor.com/code_red/ At 01:40 AM 8/5/01 +0000, John Chambers wrote: >-------- > >Well, what I'd do is look in apache's access_log file, where for example >I find a line that starts: > >207.172.11.232 - - [04/Aug/2001:20:11:27 -0400] "GET >/default.ida?XXXXXXXXXXXXXX... > >This tells me the IP address that the attack came from, and the >precise time. A script could look up the address, though it need not, >since you can use IP addresses in email addresses with most unix-type >mailers. You'd try to send a message to postmaster at 207.172.11.232 >and/or webmaster at 207.172.11.232 first. If those fail, you'd try >postmaster at 207.172.11.1 and webmaster at 207.172.11.1, which is almost >always a locally important machine. You'd also want to have the >script leave a record of where it has sent messages, so you don't >harrass them too often. > >Part of the job is already half done, since I have a mail delivery >program in perl, which I wrote so that I could get good information >about how some email was failing. I learned a few things about what >passes for SMTP servers these days, of course. It already knows how >to make a series of reasonable probes for alternatives if a first >attempt fails, so adding a few more things like this would be pretty >easy. All I really need is a wrapper around it that extracts lines >from the apache log and generates a short message explaining what >happened. Maybe I'll try it and see if I get any interesting replies. > >The biggest problem is that the culprits are mostly MS systems, and a >lot of them probably lack postmaster and webmaster pseudo-users. I >wonder what would be some other good guesses for names? > >| That's a good idea! Any thoughts on how you would do it? >| >| At 12:23 PM 8/4/01 +0000, you wrote: >| >-------- >| > >| >| I'm pretty sure that the .ida files are an IIS thing. But I'm not 100% >| >| sure. I try to stay away from IIS whenever possible. :-) >| > >| >OTOH, I'm tempted to write a default.ida script that sends a message >| >to the postmaster and webmaster at the source machine, informing them >| >that someone (possibly Code Red) is staging an attack from their >| >machine. This might help convince some of them that they have a >| >problem, and we know who they are. >| >| Drew Taylor >| mailto:drew at drewtaylor.com >| http://www.drewtaylor.com/ >| Drew Taylor mailto:drew at drewtaylor.com http://www.drewtaylor.com/ - Subcription/unsubscription/info requests: send e-mail with "subscribe", "unsubscribe", or "info" on the first line of the message body to discuss-request at blu.org (Subject line is ignored).
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
