[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] access log weird stuff. hacker or virus
- Subject: Re: [cobalt-users] access log weird stuff. hacker or virus
- From: "K.A." <khalil@xxxxxxxxx>
- Date: Fri Sep 28 03:09:33 2001
- Organization: http://www.KhalilAhmad.com
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
BD,
You are running ASP on RaQ, so virus thinks that your machine has IIS, that
is why you are getting these attackes. You may use this php page, it will
give you the IP addresses of the machine which are sending you such viruses.
Then either you can block those IPs in your firewall or do whatever you like
to do.
<html><body>
<B><H3>Code Red, Nimda and Other Worm Scanner </H3></B>
By <a href="mailto:webmaster@xxxxxxxxxxxxx";>Kham Vue</a><br>
<a href="http://www.sengtroni.com";>www.sengtroni.com</a><br>
IP Display by <a href="mailto:greg@xxxxxxxxxxxxxx";>Greg Ogorek</a><br>
Original SHELL script by Glenn Scott glen@xxxxxxxxxxxxxxxxxxxxx
<P>
This server has received <B>
<?system("cat /var/log/httpd/access | grep '/scripts/root.exe?/c+dir' |
wc -l") or die ("Could not open web logs!");?>
</B> scans for <i>"/script/root.exe"</i> from <b>
<?system("cat /var/log/httpd/access | grep '/scripts/root.exe?/c+dir' |
cut -d '' -f2 | sort | uniq | wc -l");?>
</b> different IP addresses! <BR>
<P>
This server has received <B>
<?system("cat /var/log/httpd/access | grep 'cmd.exe'|wc -l") or die ("Could
not open web logs!");?>
</B> scans for <i>"cmd.exe"</i> from <b>
<?system("cat /var/log/httpd/access | grep 'cmd.exe' | cut -d '' -f2 | sort
| uniq | wc -l");?>
</b> different IP addresses! <BR>
<P>
This server has received <B>
<?system("cat /var/log/httpd/access | grep 'cmd.exe'|wc-l")?>
</B> scans for the new <i> "cmd.exe" </i> from <b>
<?system("cat /var/log/httpd/access | grep 'cmd.exe' | cut -d
'' -f2 | sort | uniq | wc -l");?>
</b> different IP Addresses!!!!
<P>
This server has received <B>
<?system("cat /usr/local/apache/logs/access_log | grep 'cmd.exe'|wc-l")?>
</B> scans for the new <i> "cmd.exe" </i> from <b>
<?system("cat /usr/local/apache/logs/access_log | grep 'cmd.exe' | cut -d
'' -f2 | sort | uniq | wc -l");?>
</b> different IP Addresses!!!!
<p>
The server has been attacked <B>
<?system("cat /var/log/httpd/access | grep '/default.ida'|wc -l")?>
</b> times by the Code Red Virus from <b>
<?system("cat /var/log/httpd/access | grep '/default.ida' | cut -d '' -f2 |
sort | uniq | wc -l");?>
</b> different IP Addresses!!!!
<P><HR>
<b>Nimda Attacks by IP</b><br>
<?system("cat /var/log/httpd/access | grep '/scripts/root.exe?/c+dir' |
cut -d ' ' -f2 | sort | uniq");?><br>
<P><HR>
<b>Code Red Attacks by IP</b><br>
<?system("cat /var/log/httpd/access | grep '/default.ida' | cut -d ' ' -f2 |
sort | uniq");?><br>
<P><HR>
This script comes "as is". Any modifications, please update the author via
email.
</body></html>