[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Code Red

Subject: Re: [cobalt-users] Code Red
From: Ted Behling <TBehling@xxxxxxxxxxxxx>
Date: Thu Aug 9 06:09:13 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Off the top of my head, something like this should work:

tail -f /home/log/httpd/access | grep "\.ida" | ipchains -A input --source
`sed...` -j DENY -l

Replace ... with the Sed expression to extract the IP address.

At 07:34 PM 8/9/01 +0100, Jason Vaughan wrote:
>There have been frequent threads about Code Red and even a few 
>scripts to check how many times it has attacked.
>
>Here is a challenge for any top scripters out there...
>
>Write a script which monitors the access log and if it sees tell tale 
>signs (e.g requests for .ida) it then blocks that IP address, using 
>IPCHAINS or similar.


--------------------------------------------------------------------------
Ted Behling, Web Application Developer - Monarch Information Systems, Inc.

43 Folly Field Road, Unit 4, Hilton Head Island, SC 29928-5434
E-mail: mailto:TBehling@xxxxxxxxxxxxx
Phone/Fax: 1-800-842-7894    Local or Outside the USA: 1-843-842-7894
Cell Phone (urgent issues): 843-816-7895
Cell Phone E-mail: mailto:TedPhone@xxxxxxxxxxxxx (116 letter limit)
Web site: http://www.MonarchIS.net
--------------------------------------------------------------------------

Follow-Ups:
- Re: [cobalt-users] Code Red
  - From: Greg Hewitt-Long

References:
- [cobalt-users] Code Red
  - From: Jason Vaughan

Prev by Date: RE: [cobalt-users] [RaQ3i] hardrive replacement, part 2
Next by Date: [cobalt-users] Failover or Load Balance on a RAQ?
Previous by thread: Re: [cobalt-users] Code Red
Next by thread: Re: [cobalt-users] Code Red

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index