[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Code Red variations
- Subject: Re: [cobalt-users] Code Red variations
- From: flash22@xxxxxxx
- Date: Tue Aug 7 17:10:45 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
On Tue, 7 Aug 2001, Carrie Bartkowiak wrote:
> How about making a default server-wide page (like how an error
> document is set up) that responds to "default.ida?*"
> Requests to that could be redirected to a script (CGI or PHP) that
> grabbed the IP of the machine and tossed it into IPChains to be
> denied. It wouldn't stop the first request from each machine, of
> course, but it would stop any repeated requests.
> Which begs the question - ARE there any repeated requests? I haven't
> looked in my logs for this, maybe someone else already has.
A few, i sorted them the other day for giggles, I know a fellow eho has
gotten 40K hits, he got bored and made default.ida a hit counter page to
count them...lol
What would be really nice is if colo's would block *outbound* port 80
requests from web server farma, where's few good reasons for a web server
to b making requests.....sigh
>
> Another idea is that the script would generate a whois on the IP and
> fire off an email to the IP's owner or upstream alerting them that
> they're infected and to take action?
I emailed a batch of server admins, 80% bounded with undeliverable,
unreachable, no real email address....hardly surprising these are the
folks who didn't keep up to date with patches ;0
>
> Dunno, just trying to come up with some kind of response other than
> sitting here helplessly watching my logs and stats fill up with this
> useless crap...
Look at it this way,your users see lots of web hits...(ducking)
gsh