[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SV: [cobalt-security] Nimba scanner shell script

Subject: SV: [cobalt-security] Nimba scanner shell script
From: "Kai r. s., euroweb as" <kai@xxxxxxxxxx>
Date: Thu, 20 Sep 2001 18:39:59 +0200
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi,

I have innstalled your 2 php pages on 2 diffrent raqs (raq4r and raq3i)
Here is the result.

----------
Raq3i:

This server has received 0 scans for "/script/root.exe" from 0 different IP
addresses!
The server has been attacked 47 times by the Code Red Virus from 0 different
IP Addresses!!!!

Raq4r:

This server has received 0 scans for "/script/root.exe" from 453 different
IP addresses!
The server has been attacked 102 times by the Code Red Virus from 102
different IP Addresses!!!!

-----------
Somthing with the relationship between numeres does not seem correct. 0
times from 453ip and 47 times from 0Ip?

What is wrong here? an what kind of files are not present on the two raq for
this result to show numbers like this..

I am trying to find out what did happend 2 days ago on the raq3 becuse it
had a big error log file with a size of 2000 mb (2Gb)! a few houres later it
was normal size again..? So this could maybe help me sorting this mystery
(and then i can sleep again not afraid of that our serveres is hacked and
compromissed.

Kai R Schantz
Euroweb AS
Glen,

I have converted your shell script into a PHP web page.

For those that are interested, just place the script on your Cobalt server.

<!-------- Beginning of code ---->
<html><head>

<title>PERL Worm Scanner by [kjv]</title>

</head>

<B><H3>Code Red, Nimda and Other Worm Scanner </H3></B>

By <a href="mailto:webmaster@xxxxxxxxxxxxx";>Kham Vue</a><br>

<a href="http://www.sengtroni.com";>www.sengtroni.com</a><br>

Original SHELL script by Glenn Scott glen@xxxxxxxxxxxxxxxxxxxxx

<P>

This server has received <B>

<? system("cat /var/log/httpd/access | grep
'/scripts/root.exe?/c+dir'|wc -l") or die ("Could not open web logs!");?>

</B> scans for <i>"/script/root.exe"</i> from <b>

<?system("cat /var/log/httpd/access | grep '/scripts/root.exe?/c+dir' |
cut -d '' -f2 | sort | uniq | wc -l");?>

</b> different IP addresses! <BR>

The server has been attacked <B>

<?system("cat /var/log/httpd/access | grep '/default.ida'|wc -l")?>

</b> times by the Code Red Virus from <b>

<?system("cat /var/log/httpd/access | grep '/default.ida' | cut -d '' -f2 |
sort | uniq | wc -l");?>

</b> different IP Addresses!!!!

<P><HR>

This script comes "as is". Any modifications, please update the author via
email.

</body></html>

<!----- End of Code -->

--------------------------------------------------------------
Kham Vue
Internet Admin
The City of Wadsworth
WADSNET.COM High Speed Internet Service
kvue@xxxxxxxxxxx
" If you continue to think the way you've always thought,
then you will continue to get what you always got!"


_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security

References:
- Re: [cobalt-security] Nimba scanner shell script
  - From: Kham Vue

Prev by Date: RE: [cobalt-security] OpenSSH on Raq2 help
Next by Date: Re: [cobalt-security] urgent question
Previous by thread: Re: [cobalt-security] Nimba scanner shell script
Next by thread: Re: [cobalt-users] Re: [cobalt-security] Nimba scanner shell script

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index