[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] The Code-Red Worm is attacking... GOD it's attacking.
- Subject: Re: [cobalt-security] The Code-Red Worm is attacking... GOD it's attacking.
- From: Carrie Bartkowiak <ravencarrie@xxxxxxxx>
- Date: Thu, 19 Jul 2001 21:00:51 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Thu, 19 Jul 2001 15:42:26 -0700 (PDT), shimi wrote:
>>
>>cat /var/log/httpd/access | grep .ida | wc -l
A note on this:
I output the lines from the access file to a text file so I could
read them. Shimi's command above allows grep to include anything with
"Guidant IE5" in it - which I found were real requests for pages.
The attempted attack comes in the form of (in my logs, anyway):
default.ida?NNNNNNNNNNNNNNN <insert a hundred more N's here and
another huge long string of gibberish>.
So I changed Shimi's grep to:
cat /var/log/httpd/access | grep .ida? | wc -l
And it cut down the number to the true attempts - 247.
Still... sheesh.
If you want to pipe it to a file, run:
cat /var/log/httpd/access | grep .ida? > worm.txt
and then read worm.txt to see what's going on.
--
Carrie Bartkowiak, ravencarrie@xxxxxxxx on 07/19/2001