[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: REOT RE: [cobalt-users] OT Code Red variations

>I use CarrieB script and made the following  PHP Code
>
>$accesslog="/var/log/httpd/access";
>
>echo "<b>This sytem has been attacked today by the Code Red worm a total of
>:";
>system("cat ". $accesslog . " | grep default.ida | wc -l");
>print " times.<br>";
>print "<PRE><font size='2'>";
>print  system("cat ". $accesslog . "| grep default.ida | awk '{print $2}' |
>sort | uniq ") . "<BR>\n";
>print "</PRE>";
>print "<br><br>Out of the above number a total of ";
>system("cat ". $accesslog . " | grep default.ida | awk '{print $2}' | sort |
>uniq | wc -l ");
>print " were from unquie ips.<br>";
>
>
>I don't have to ssh in to see how bad I am being hit.  Gave up moving them
>all to hosts.deny.


Looks like perl to me - and a little less sophisticated than mine - as yours will reset when /var/log/httpd/access gets rolled over (in the middle of the night on my box) - whereas mine kept the entries in a local file (less space conscious, but I'm not that worried about 5Mb of data).

I only started looking at logs from 1st August and I've at about 30k attempts.

The largest number from any one IP is about 1,400 from a server inside BRIDGEPORT.EDU - who have since informed me that they will be blocking all servers within the Dialtone Internet blocks of IPs, as I got rude with them after a bunch of no-reply emails I'd sent them!?!?  Rude pricks!  Is anyone performing reverse lookups for the IPs at ARIN.NET?

I did lookups for about 1,800 - and found:

     43       Geurin, Joe  (JG726-ARIN)  ipadmin@xxxxxxxxxxxxx
     30       Telocity  (ZT26-ARIN)  ip-admin@xxxxxxxxxxxx
     30       DNS and IP ADMIN  (DIA-ORG-ARIN)  hostmaster@xxxxxxxxxxxxxx
     22       Pacific Bell Internet  (PIA2-ORG-ARIN)  ip-admin@xxxxxxx
     19       Center, Network Control  (NOC44-ARIN)  CompServ@xxxxxxxxxx
     17       Stollar, Andreas  (AS3414-ARIN)  abuse@xxxxxxxxxxxxx
     16       Kailian, Aram  (AK162-ARIN)  akailian@xxxxxxxxxxxxx
     15       Epoch Internet  (ZE35-ARIN)  ipadmin@xxxxxxxxx
     14       Myers, Michael  (MM520-ARIN)  icon@xxxxxxxxxxx
     11       ServiceCo LLC  (ZS30-ARIN)  abuse@xxxxxx
     11       Business Internet, Inc.  (ZI44-ARIN)  ipreq@xxxxxxxx
     10       U S WEST ISOps  (ZU24-ARIN)  abuse@xxxxxxxxxx
     10       BTI  (ZB18-ARIN)  ipadmin@xxxxxxxxxxxxxx
      9       Soulia, Cindy  (CS15-ARIN)  csoulia@xxxxxxxxxxx
      9       Radiant Communications  (ZR41-ARIN)  abuse@xxxxxxxxxxx
      9       Noc, Metronet Toronto  (MTN-ARIN)  NOCToronto@xxxxxxxxxxx
      9       Galiano, Aj  (AG138-ARIN)  neteng@xxxxxxxxxxxxxxxx
      9       Earthlink Network, Domain Administrator  (DAE4-ARIN)  arinpoc@xxxxxxxxxxxxxxxxxx
     8 @Home Network / @Work Division (NETBLK-ATWORK-6) ATWORK-6
      8    please send all abuse issue e-mails to abuse@xxxxxxxxxx
      8       Southwestern Bell Internet Services  (ZS44-ARIN)  ipadmin@xxxxxxxxxx
      8       SAVVIS A Bridge Company  (ZS36-ARIN)  ipadmin@xxxxxxxxxx
      8       Elchanani, Matanya  (ME77-ARIN)  matanya@xxxxxxxxxxxxxx
      7 @Home Network (NETBLK-ATHOME)   ATHOME                24.0.0.0 - 24.23.255.255
      7       ZoomTown.Com Operations Center  (FIA-ORG-ARIN)  hostmaster@xxxxxxxx
      7       UUNET, Technical Support  (OA12-ARIN)  help@xxxxxx
      7       Blue, Bill  (BB167-ARIN)  bblue@xxxxxxx
      6       ViaWest Internet Services  (ZV2-ARIN)  domainadmin@xxxxxxxxxxx
      6       Internet America  (ZI28-ARIN)  netmaster@xxxxxxx
      6       Cohen, Nicholas  (NC48-ARIN)  ncohen@xxxxxxxxxxxxxx
      5    for abuse issues, please contact abuse-isp@xxxxxxxxx
      5       master, Host  (HZ18-ARIN)  hostmaster@xxxxxxxxxx
      5       Reimer, Jared  (JR640-ARIN)  jbr@xxxxxx
      5       Lube, Brian  (BL551-ARIN)  ipmaster@xxxxxxx
      5       Hsu, Vicky  (VH69-ARIN)  ipadmin@xxxxxxxxx
      5       Crandall, Sean  (SC388-ARIN)  sean@xxxxxxxxxxxx
      5       Contact, Technical  (TC2560-ARIN)  techmaster@xxxxxxxxxxx
      5       Choice One OnLine, Inc.  (IC88-ARIN)  hostmaster@xxxxxxxxxxxxxxxxxxx
      4 @Home Network (NETBLK-HOME-4BLK)HOME-4BLK          24.248.0.0 - 24.255.255.255
      4       Yu, Joe  (JY62-ARIN)  Joe@xxxxxxxxxxxx
      4       Teligent, Inc.  (IT45-ARIN)  support@xxxxxxxx
      4       Mellgren, Ross  (RM1120-ARIN)  rmellgren@xxxxxxxxxxxxxxxxx
      4       Look Communications Inc.  (ZL29-ARIN)  abuse@xxxxxxx
      4       Illinois Institute of Technology  (ZI53-ARIN)  oyewole@xxxxxxx

The rest gets pretty small numbers quickly - so I omitted them - it's interesting reading - anyone have a HOTMAIL account??  - anyone find their ISP on the list??


>
>>A few, i sorted them the other day for giggles, I know a fellow eho has
>>gotten 40K hits, he got bored and made default.ida a hit counter page to
>>count them...lol
>
>
>Mike
>
>_______________________________________________
>cobalt-users mailing list
>cobalt-users@xxxxxxxxxxxxxxx
>To Subscribe or Unsubscribe, please go to:
>http://list.cobalt.com/mailman/listinfo/cobalt-users

-- 
http://www.webyourbusiness.com/
Providers of E-Commerce Software &
Web Design Consultancy and Services.
PH: (970)266-0195 FAX: (970)266-0158