Curious HTTP GET commands ...

John Chambers jc at trillian.mit.edu
Sat Aug 4 21:40:10 EDT 2001 

--------

Well, what I'd do is look in apache's access_log file, where for example
I find a line that starts:

207.172.11.232 - - [04/Aug/2001:20:11:27 -0400] "GET /default.ida?XXXXXXXXXXXXXX...

This tells me the IP address that  the  attack  came  from,  and  the
precise time. A script could look up the address, though it need not,
since you can use IP addresses in email addresses with most unix-type
mailers.   You'd  try  to send a message to postmaster at 207.172.11.232
and/or webmaster at 207.172.11.232 first.   If  those  fail,  you'd  try
postmaster at 207.172.11.1  and  webmaster at 207.172.11.1, which is almost
always a locally important machine.  You'd  also  want  to  have  the
script  leave  a  record  of where it has sent messages, so you don't
harrass them too often.

Part of the job is already half done, since I have  a  mail  delivery
program  in  perl, which I wrote so that I could get good information
about how some email was failing.  I learned a few things about  what
passes  for SMTP servers these days, of course.  It already knows how
to make a series of reasonable probes for  alternatives  if  a  first
attempt  fails, so adding a few more things like this would be pretty
easy.  All I really need is a wrapper around it that  extracts  lines
from  the  apache  log  and generates a short message explaining what
happened. Maybe I'll try it and see if I get any interesting replies.

The biggest problem is that the culprits are mostly MS systems, and a
lot  of  them probably lack postmaster and webmaster pseudo-users.  I
wonder what would be some other good guesses for names?

| That's a good idea! Any thoughts on how you would do it?
|
| At 12:23 PM 8/4/01 +0000, you wrote:
| >--------
| >
| >| I'm pretty sure that the .ida files are an IIS thing. But I'm not 100%
| >| sure. I try to stay away from IIS whenever possible. :-)
| >
| >OTOH, I'm tempted to write a default.ida script that sends a  message
| >to the postmaster and webmaster at the source machine, informing them
| >that someone (possibly Code Red) is  staging  an  attack  from  their
| >machine.   This  might  help  convince  some of them that they have a
| >problem, and we know who they are.
|
| Drew Taylor
| mailto:drew at drewtaylor.com
| http://www.drewtaylor.com/
|
-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).

More information about the Discuss mailing list