[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] New (nimda) WORM [RAQ3]

Subject: RE: [cobalt-security] New (nimda) WORM [RAQ3]
From: "J. Patrick Lanigan" <patl@xxxxxxxxxxx>
Date: Wed, 19 Sep 2001 17:56:00 -0500
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> cat /var/log/httpd/access | grep cmd.exe | wc -l
> 
> I have been hit 236 times so far... is there anything i can 
> do to stop it?
> i know its not going to infect a Cobalt server, but i'd guess 
> its slowing me
> down.

Actually, it is also looking for servers infected by the various strains of
code red also. ie. not all the hits are for cmd.exe, some are for root.exe
Therefore, your grep is missing some of the hits. Try:

# grep .exe /var/log/httpd/access -c

BTW, at 236 count yourself lucky, our server was hit 26000 yesterday and
12000 since log rotation :(

J. Patrick Lanigan, Web Developer
URLtek LLC, Web Solutions
- ----------------------------------------
  w: http://www.urltek.com/
  w: http://www.metaplanets.com/
  w: http://www.laniganonline.com/
- ----------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO6kif4lmdkS/cGLOEQKzhwCfeGItADRXlN4gKpzxdIU/P0GggRYAoPG0
r9cCz0/6oPDxTthndKoWiMq/
=QYDH
-----END PGP SIGNATURE-----

References:
- [cobalt-security] New (nimda) WORM [RAQ3]
  - From: Sean Chester

Prev by Date: [cobalt-security] [RaQ3] Re:Portsentry where am I going wrong
Next by Date: Re: [cobalt-security] OpenSSH on Raq2 help
Previous by thread: Re: [cobalt-security] New (nimda) WORM [RAQ3]
Next by thread: [cobalt-security] Nimba scanner shell script

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index