[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Off Topic: CodeRed Virus

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Off Topic: CodeRed Virus
From: Wolfgang Zeikat <w_(_dot_)_zeikat_(_at_)_webseek_(_dot_)_de>
Date: Sat, 8 Sep 2001 13:37:31 +0200

i wrote two bash scripts to handle HTTP requests from CodeRed-infected
machines.

the first one extracts the typical lines from Apache logs and sends the
output to redalert_(_at_)_dshield_(_dot_)_org

the second one does whois-lookups at whois.RIPE.net for the IPs of those
machines
and notifies the tech-c email address automatically.

it also contains various known IP blocks with their respective abuse email
addresses and will use those addresses for notifications.

the second script will work best on european servers in its current form -
for non-european IPs and thus for whois.ARIN.lookups they would have to be
modified, since ARIN uses a different whois database format.

so the second script should mostly be of interest if your HTTP server is
located in europe - reminder: Code Red mostly scans the IP neighbourhood -
some non-EU networks' IP blocks and their abuse addresses have been added
tho,
so those would be notified too.

http://test.skepcat.com/Coderedcheck.zip

for info about Code Red see
http://www.incidents.org/react/code_redII.php

cheers

wolfgang

Prev by Date: Re: Digital camera: device recognised, can't access
Next by Date: Re: VMWare and OpenBSD 2.9
Previous by thread: DDNS / DHCP question
Next by thread: I386 advice...
Index(es):
- Date
- Thread

Visit your host, monkey.org