[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] The Code-Red Worm is attacking
- Subject: RE: [cobalt-security] The Code-Red Worm is attacking
- From: "njd" <njd76@xxxxxxxxxxx>
- Date: Fri, 20 Jul 2001 10:46:02 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Point blank,
do I need to be worried about this worm with my RAQ4i? I have a couple
of request.
-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx] On Behalf Of Carrie
Bartkowiak
Sent: Thursday, July 19, 2001 9:01 PM
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] The Code-Red Worm is attacking... GOD
it's attacking.
On Thu, 19 Jul 2001 15:42:26 -0700 (PDT), shimi wrote:
>>
>>cat /var/log/httpd/access | grep .ida | wc -l
A note on this:
I output the lines from the access file to a text file so I could
read them. Shimi's command above allows grep to include anything with
"Guidant IE5" in it - which I found were real requests for pages.
The attempted attack comes in the form of (in my logs, anyway):
default.ida?NNNNNNNNNNNNNNN <insert a hundred more N's here and
another huge long string of gibberish>.
So I changed Shimi's grep to:
cat /var/log/httpd/access | grep .ida? | wc -l
And it cut down the number to the true attempts - 247.
Still... sheesh.
If you want to pipe it to a file, run:
cat /var/log/httpd/access | grep .ida? > worm.txt
and then read worm.txt to see what's going on.
--
Carrie Bartkowiak, ravencarrie@xxxxxxxx on 07/19/2001
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security