Patrik Fältström wrote:
--On 08/07/2001 9:21 AM -0400 Bobby Krupczak
<rdk(_at_)cc(_dot_)gatech(_dot_)edu> wrote:
Well, folks, my packet suckers have shown a Code Red II attack from a
machine on the IETF meeting net. It's 217.33.140.38 -- if you have
that address, you need to disinfect and patch your machine. For the
rest of you, be careful...
Do you always snoop on traffic at IETFs?
Just curious. Dont read anything else into my question.
You don't have to snoop. Just run a webserver on port 80 on your local host
and look at the virus trying to attack your local laptop.
I run a local apache, and the logs are full of things like these:
217.33.136.83 - - [07/Aug/2001:14:32:44 +0100] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc
bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 404 271
217.33.24.50 - - [07/Aug/2001:14:36:21 +0100] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc
bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 404 271
paf
Well i't my bad luck that I'm missing the meeting perhaps I need to
invite all the guys(girls are welcome to) for some beer :)
OK back to subject
Yes I must say I just hate these buggers
SetEnvIf Request_URI \.ida$ bugger
CustomLog logs/bugger_log common env=bugger
CustomLog logs/access_log common env=!bugger
CustomLog logs/error_log common env=!bugger
This would fix so the .ida requests don't get in the usual log but in an
own specific log.
I havn't had the chance to try this but I don't consider my apache box
on the private 192.168.* a subject to the attacks
And for those ppl who hate "scanners" I recomend:
http://www.thinkgeek.com/stuff/things/38df.html
Good luck with the meetings everyone
/John
--
Webgiro AB
---------------------
+46-850640765 Phone
+46-850640701 Fax
+46-733864346 Cellular
RIPE handle: JA4953-RIPE