Fun with httpd logs and code red 
Author Message
 Fun with httpd logs and code red

Just for fun, I wrote the following script to check my apache log for
recent code red queries:

        import string

        f=open('/var/log/httpd/access_log', 'r')
        lines = f.readlines()
        ip_list = []

        for line in lines:
                if string.find(line, "GET /default.ida"):
                        a = string.split(line)
                        if a[0] not in ip_list:
                                ip_list.append(a[0])

        print "The number of IPs in my list is %d" % len(ip_list)

        f.close()

Hmmm. I have a list with 873 entries. Now what do I do with it?  ;)

-- Stephen



Fri, 06 Feb 2004 04:40:24 GMT  
 Fun with httpd logs and code red

Quote:

> Just for fun, I wrote the following script to check my apache log for
> recent code red queries:

>   [snip]

> Hmmm. I have a list with 873 entries. Now what do I do with it?  ;)

> -- Stephen

Certainly the thing NOT to do is to contact the owners of the offending sites,
as all that will do is send a signal to the feds saying "Please break down my
door, confiscate my equipment, and throw me in jail" :P

--



Fri, 06 Feb 2004 12:29:12 GMT  
 Fun with httpd logs and code red

Quote:

> Just for fun, I wrote the following script to check my apache log for
> recent code red queries:
-snip-  
> Hmmm. I have a list with 873 entries. Now what do I do with it?  ;)

maybe let the sys admins of those hosts now they've been infected?
http://www.onlamp.com/pub/a/apache/2001/08/16/code_red.html

--
Sergio J. Rey   http://typhoon.sdsu.edu/rey.html



Fri, 06 Feb 2004 12:36:43 GMT  
 Fun with httpd logs and code red

Quote:

> Just for fun, I wrote the following script to check my apache log for
> recent code red queries:

>                 if string.find(line, "GET /default.ida"):

Shouldn't that say:

    if string.find(line, "GET /default.ida") != -1:

instead?

Otherwise it just counts the number of unique IP addresses in your access
log, as -1 is true. Perhaps you'll find you had fewer code red hits after
that.

--
Graham



Fri, 06 Feb 2004 19:26:39 GMT  
 Fun with httpd logs and code red
[Ignacio Vazquez-Abrams]

Quote:

> > Just for fun, I wrote the following script to check my apache log for
> > recent code red queries: [...] I have a list with 873 entries. Now
> > what do I do with it?  ;)
> Certainly the thing NOT to do is to contact the owners of the offending
> sites [...]

I presume you are kidding.  The poor fellows probably do not even know
they are infected.  I guess you should warn them, in the nearly hopeless
hope that we get a better network after a while.

Now, the real difficulty is notifying 873 people, who often use non-resolved
IP addresses (5 out of 6 in my statistics), or have their anonymity far too
well "protected" by ISPs which could not care less, or do not have a clue.
A saddening experience.

My python script for handling such attacks is careful to not report more
than once per offending IP, unless attacks continue for more than 4 days
afterwards.  Failed DNS resolutions is really the bottleneck of the whole
processing, so I do them within 100 threads, to get more acceptable speed.

There are two next steps for me.  First, I would like to find some Apache
trick so a mere referencing of `/default.ida' would trigger the script in
"single-event" mode.  Second, and much more importantly, would be to try
being clever at using "whois", because my current MX finder is a bit crude.
For a while, I'm saving information on this matter.  Any opinion welcome.

--
Fran?ois Pinard   http://www.iro.umontreal.ca/~pinard



Fri, 06 Feb 2004 20:17:00 GMT  
 Fun with httpd logs and code red

Quote:


>> Just for fun, I wrote the following script to check my apache log for
>> recent code red queries:

>>                 if string.find(line, "GET /default.ida"):

> Shouldn't that say:

>     if string.find(line, "GET /default.ida") != -1:

> instead?

> Otherwise it just counts the number of unique IP addresses in your access
> log, as -1 is true. Perhaps you'll find you had fewer code red hits after
> that.

> --
> Graham

Thanks for pointing that out. Actually it found one more item than the
previous total with the correction in place (my log contains nothing but
code red entries since I only use it as a test site).

I'll have to see what's possible as far as getting back to the people goes.

- Stephen



Fri, 06 Feb 2004 14:08:48 GMT  
 Fun with httpd logs and code red

Quote:

> Just for fun, I wrote the following script to check my apache log for
> recent code red queries:

>         import string

>         f=open('/var/log/httpd/access_log', 'r')
>         lines = f.readlines()
>         ip_list = []

>         for line in lines:
>                 if string.find(line, "GET /default.ida"):
>                         a = string.split(line)
>                         if a[0] not in ip_list:
>                                 ip_list.append(a[0])

>         print "The number of IPs in my list is %d" % len(ip_list)

>         f.close()

> Hmmm. I have a list with 873 entries. Now what do I do with it?  ;)

One thing you do is avoid getting into this situation:

   http://www.linuxfreak.org/post.php/08/17/2001/134.html

wherein, if the story actually represents the facts, telling a
newspaper editor that his paper's site was wide open to "adjustments"
by anyone leads to FBI, federal prosecutor, etc interest.  [It's quite
possible that the problem was "demonstrating" rather then "telling".]

  --John



Sat, 07 Feb 2004 00:31:10 GMT  
 
 [ 7 post ] 

 Relevant Pages 

1. Nimda/Code Red Log File Entries

2. count bits, fun fun fun.

3. Code Red worm and typed languages

4. C55aps10.exe Bombing every hour - Code Red?

5. Code Red

6. need code for red-black binary search tree

7. about code red worm and its offspring...

8. Code Red PITA

9. Code.Red

10. Coding in Dylan is Fun!

11. Error 48 - Is my log transaction coding ok?

12. REQ: Key Logging Source Code

 

 
Powered by phpBB® Forum Software