[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Code Red variations
- Subject: Re: [cobalt-users] Code Red variations
- From: Carrie Bartkowiak <ravencarrie@xxxxxxxx>
- Date: Mon Aug 6 19:11:11 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
On Mon, 6 Aug 2001 18:44:12 +0100, Phil Beynon mumbled something
like:
>>last week attempts all
>>started with NNNNNNNN a lot of them after the weekend seem to start
>>with
>>XXXXXXXX
I'm still getting attempts with both NN and XX. Don't worry too much
about it, as it can't affect your Linux box (yet - wait for version
3/4). Just keep an eye on it and see if you can get your ISP or NOC
to block those attempts, if they can...
Hmm, that makes me wonder. I have an idea!
How about making a default server-wide page (like how an error
document is set up) that responds to "default.ida?*"
Requests to that could be redirected to a script (CGI or PHP) that
grabbed the IP of the machine and tossed it into IPChains to be
denied. It wouldn't stop the first request from each machine, of
course, but it would stop any repeated requests.
Which begs the question - ARE there any repeated requests? I haven't
looked in my logs for this, maybe someone else already has.
Another idea is that the script would generate a whois on the IP and
fire off an email to the IP's owner or upstream alerting them that
they're infected and to take action?
Dunno, just trying to come up with some kind of response other than
sitting here helplessly watching my logs and stats fill up with this
useless crap...
--
CarrieB
"The point to remember is that what the government gives, it must
first take away." --John S. Coleman