[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] Want to watch the fun with the Code Red and it's new variant?

Subject: [cobalt-users] Want to watch the fun with the Code Red and it's new variant?
From: Greg Hewitt-Long <greg@xxxxxxxxxxxxxxxxxxx>
Date: Tue Aug 7 04:52:42 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

I was getting a little curious as to who exactly was responsible for all the Code Red Worm hits on our Cobalt Servers, so I knocked up a quick shell script to provide the info - I've only tested on RAQ3 so if the paths of any shell commands and/or the main web server log differ, please amend before installing.

Note: Don't let anyone know where you hid this script - it's potentially a bandwidth hog if you have people clicking on the logfile entries to view them (they're sorted by domain on your server, so they don't help a lot other than showing the actual entries).

This script is provided "as-is" with no implied or expressed warranties - use it at your own risk and don't email me if it breaks your server, or opens it up to some kind of abuse (it won't - but I'm not responsible if it mutates or something).

Installation instructions:

Put the script into a CGI-BIN folder, give it execute permissions (755 or similar) and call it from your browser) - you can call it anything you want - I'm not suggesting any name, that way, no-one else can access it!

ps - I'd be interested in what kind of numbers pop out for total attempted break-ins, and the percentage of new to old worm variants!

regards

Greg


#!/bin/sh
echo "content-type: text/html
<H1>Getting Code Red Data...</H1>

"

if [ -f "coderedlock.txt" ]
then
   echo 'Code Red counts in progress - please try again in a few minutes'
   exit 0
fi

touch coderedlock.txt

egrep 'XXXXXXXXXX|NNNNNNNNNN' /home/log/httpd/access > ./coderednow.txt

cat coderednow.txt coderedhistory.txt | sort -u > ./coderedunique.txt
cat coderedunique.txt > coderedhistory.txt

echo "<P><TABLE BORDER=0><TR><TD>
Count of Code Red Attacks:
</TD><TD>
`cat coderedhistory.txt | wc -l`
</TD></TR>"

cat coderedhistory.txt|cut -d\  -f2|sort|uniq -c|sort -r -n > coderedcount.txt

echo "<TR><TD>
Count of Old (&quot;NNN&quot;) Code Red Attacks:
</TD><TD>`grep 'NNNNNNNNNN' coderedhistory.txt| wc -l`</TD></TR>
<TR><TD>Count of NEW (&quot;XXX&quot;) Code Red Attacks:</TD><TD>
`grep 'XXXXXXXXXX' coderedhistory.txt| wc -l`</TD></TR>

<TR><TD>Unique IPs issuing Code Red Attacks:</TD><TD>
`cat coderedcount.txt| wc -l`</TD></TR>
</TABLE></P>"

echo "<P><A HREF=\"/cgi-bin/coderedcount.txt\">Here are the counts by
 originating IP</A></P>"

echo "<P><A HREF=\"/cgi-bin/coderedhistory.txt\">Here are the Hits
 themselves - <BR><pre>`ls -l coderedhistory.txt`</pre></A></P>"
rm coderedlock.txt
exit 0
-- 
http://www.webyourbusiness.com/
Providers of E-Commerce Software &
Web Design Consultancy and Services.
PH: (970)266-0195 FAX: (970)266-0158

Prev by Date: Re: [cobalt-users] [RaQ3i] hard-drive replacement
Next by Date: Re: [cobalt-users] Memory pricing
Previous by thread: RE: [cobalt-users] RaQ3 low disk space and web.cache files - still not fixed
Next by thread: [cobalt-users] Want to watch the fun with the Code Red and it's new variant?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index