Question about codered worm

Jeremy jeremy at
Tue Aug 7 19:26:23 EST 2001

> > SecurityFocus are running a service where you send the IP address that
> > attacked you and the approximate time, and they will notify the owners of
> > that IP address. I can't find the email address to send your list of
> > attacking IP addresses to at the moment. Have a look at
> > if you like. I can't navigate the site.
> Hmm, maybe I can make a script to parse the firewall logs and mail them a
> list every hour :)

Tatsuhiko Miyagawa wrote one, drop him a line if you like it:

# Notify CodeRed infection to SecurityFocus
# Usage: [-f youraddress] < /path/to/access_log

use strict;
use Config;
use Getopt::Std;
use Mail::Sendmail;

getopts('f:', \my %opt);

my $from = $opt{f} || $Config{cf_email};
my $to   = 'aris-report at';

my %ip2date;
while (<>) {
    next unless m at GET /default\.ida\?[XN]+@;
    my($ip, $datetime) = /^(.*?) .*? .*? \[(.*?)\]/;
    next if $ip2date{$ip};
    $ip2date{$ip} = $datetime;

my $message = join '', map { "$_ $ip2date{$_}\n" } keys %ip2date;
    To      => $to,
    From    => $from,
    Message => $message,
    Subject => "CodeRed Infection Notification",

Tatsuhiko Miyagawa
miyagawa at

> -- 
> Martijn van Oosterhout <kleptog at>
> > It would be nice if someone came up with a certification system that
> > actually separated those who can barely regurgitate what they crammed over
> > the last few weeks from those who command secret ninja networking powers.

I believe the MSCE is a pretty reliable indicator.

I fought Muhammed Ali,
I seduced Mata Hari,
I even wore a sari when I impersonated Ghandi,
and I dare any man here to call me a liar....

More information about the linux mailing list