[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] The Code-Red Worm is attacking... GOD it's attacking.
- Subject: Re: [cobalt-security] The Code-Red Worm is attacking... GOD it's attacking.
- From: Carrie Bartkowiak <ravencarrie@xxxxxxxx>
- Date: Fri, 20 Jul 2001 10:53:00 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Fri, 20 Jul 2001 09:00:44 +0200, Andre Bonhote mumbled something
like:
>>Sorry to be teacherish, but why the two pipes? I mean
>>grep '\.ida' /var/log/httpd/access | wc -l
>>does the job. Just quote the period and it's not a regexp anymore.
Don't apologize for being teacherish; it helps!
I piped it twice because Shimi piped it twice, and to be honest I
didn't know it could be written the way that you did it. I thought
that to look through a file you had to 'cat' or 'head' the file and
pipe the output through grep.
*sheepish look*
I know now, though! Thank you!
>>Where's the problem? I mean, 247 hits, in a not mentioned timespan
>>nothing new, right? We don't run Winslows boxes, so we don't have
>>to
>>care. Tell me when I am completely wrong there.
Well from reading some of the URLs posted, I learned that infected
boxes start scanning the same first IP and then generate a set of
random IPs to scan based off of that one. For each instance of the
worm the infected machine runs 9 threads (10 if it's not an english
machine) looking to infect other machines, and many machines end up
scanning the same IPs over and over. They re-infect each other,
causing more instances of the worm and threads...scanning the same
IPs...
And it just means a major rise in hits to our servers if we get into
the random IP generation. These wasted hits will skyrocket our
bandwidth and could (if there were enough of them) effectively
provide a denial of service to our machines simply from the mass
traffic. I realized, after I wrote that, that the 247 hits was from
the entire day (since I was looking through the access log that had
been flushed out at 4:01 am) rather than just one hour, which was my
original thought process.
So no, you're right, 247 wasted hits in one day (compared to one
hour) isn't much; but I worry because my IPs are getting into that
random generation. When someone sees what a failure the attack was on
whitehouse.gov (aiming directly for the IP rather than the FQDN
itself) they'll re-write it and make it better - already have, I
think, since the # of infected machines jumped massively between 4am
and noon yesterday - and so I worry that next month when this
rewritten thing rolls around again, I'm going to be offline simply
from wasted requests from infected machines - an effective denial of
service.
Am I off-base here, worrying too much?
--
CarrieB
Space for rent! I need spiffy quotes for my sig line!
Help! Email me your suggestions today!