[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] The Code-Red Worm is attacking... GOD it's attacking.
- Subject: RE: [cobalt-users] The Code-Red Worm is attacking... GOD it's attacking.
- From: shimi <shimi@xxxxxxxxxxxxxxxx>
- Date: Sat Jul 21 03:20:01 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
On Fri, 20 Jul 2001, Gavin Nelmes-Crocker wrote:
> > > When I do this
> > >
> > > cat /var/log/httpd/access | grep .ida | wc -l
> > >
>
> Hi all, its important to realize that this will also return lines with
> hol'ida'y in as it did on my box I discovered a response of 1 this morning
> and 10 this afternoon, fearing the worst I looked deeper to find this
> answer. Maybe it would be better to change this command to
>
> cat /var/log/httpd/access | grep default.ida | wc -l
>
> maybe this will create less false alarms
>
> Gavin
i don't know why but i never thought of a dot as a wildcard (and thus only
filenames with .ida on them should show, in my opinion) - taking that into
effect with the fact that the cobalts *does not* resolve hostnames... even
if you *do* have false reports, it's false reports.
remember, that thing doesn't even *tickle* non-IIS servers... i was just
worried that I saw 900 connections at one hour, and i saw in reports over
the net that this number show grow in an exponential way, so I wanted to
warn people of *bandwidth* consumption.
also, people reported that now all of the attacks had stopped (which is
logical, as the whole world is now oafter July 20th, even if they did set
their clock of UTC or not...)...
Please do remember that not cleaned machines (IIS machines, again)-
*should* be attacking again in about 10 days with larger effect. All that,
if the guys who analyzed the Worm's assembly were correct (so far, they
were...).
- shimi.