Question about codered worm
Jeremy
jeremy at itassist.net.au
Tue Aug 7 19:26:23 EST 2001
> > SecurityFocus are running a service where you send the IP address that
> > attacked you and the approximate time, and they will notify the owners of
> > that IP address. I can't find the email address to send your list of
> > attacking IP addresses to at the moment. Have a look at
> > http://www.securityfocus.com/ if you like. I can't navigate the site.
>
> Hmm, maybe I can make a script to parse the firewall logs and mail them a
> list every hour :)
Tatsuhiko Miyagawa wrote one, drop him a line if you like it:
#!/usr/local/bin/perl
#
# Notify CodeRed infection to SecurityFocus
# Usage: codered_notify.pl [-f youraddress] < /path/to/access_log
#
# SEE ALSO: http://www.securityfocus.com/archive/1/201907
#
use strict;
use Config;
use Getopt::Std;
use Mail::Sendmail;
getopts('f:', \my %opt);
my $from = $opt{f} || $Config{cf_email};
my $to = 'aris-report at securityfocus.com';
my %ip2date;
while (<>) {
next unless m at GET /default\.ida\?[XN]+@;
my($ip, $datetime) = /^(.*?) .*? .*? \[(.*?)\]/;
next if $ip2date{$ip};
$ip2date{$ip} = $datetime;
}
my $message = join '', map { "$_ $ip2date{$_}\n" } keys %ip2date;
sendmail(
To => $to,
From => $from,
Message => $message,
Subject => "CodeRed Infection Notification",
);
--
Tatsuhiko Miyagawa
miyagawa at cpan.org
> --
> Martijn van Oosterhout <kleptog at svana.org>
> http://svana.org/kleptog/
> > It would be nice if someone came up with a certification system that
> > actually separated those who can barely regurgitate what they crammed over
> > the last few weeks from those who command secret ninja networking powers.
I believe the MSCE is a pretty reliable indicator.
--------------------------------------
I fought Muhammed Ali,
I seduced Mata Hari,
I even wore a sari when I impersonated Ghandi,
and I dare any man here to call me a liar....
More information about the linux
mailing list