[lug] Code Rainbow: New attack, MUCH nastier...

Calvin Dodge caldodge at fpcc.net
Tue Sep 18 18:23:15 MDT 2001 

On Tue, Sep 18, 2001 at 03:11:51PM -0600, Justin wrote:
> I'm just curious as to how you are getting these figures? I noticed 
> tons of get request in my apache logs but I'd like to get the cool 
> figures like you have ;)

Well, if you are using Red Hat and you're logging web accesses ...

grep -E '(root.exe|winnt)' /var/log/httpd/access_log|head -n 1

This is based on the observed fact that these bogus requests contain either "root.exe" or "winnt".

On my employer's web server, the result was:

216.150.134.3 - - [18/Sep/2001:07:10:53 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 291 "-" "-"

So the first such attempt was at about 7:11 this morning.

Then ...

grep -E '(root.exe|winnt)' /var/log/httpd/access_log|wc -l

(grab all matching lines, then count them)

The result right now is 9920 (after 11 hours of hits).


If you're interested in the bandwidth issue ...

I was already running a primitive script every hour, to count sent/received bytes on our external NIC.

The script looks like this:

#!/bin/sh
line=$(echo $(cat /proc/net/dev|grep eth1));
received=$(echo $line|cut -d ' ' -f 1|cut -d ':' -f 2);
sent=$(echo $line|cut -d ' ' -f 9);
echo $(date) $sent $received >> ~/external_io


So "external_io" gets one new line of data every hour.

Here's a representative chunk from last Tuesday:

Tue Sep 11 05:00:01 MDT 2001 2080902386 762195854
Tue Sep 11 06:00:00 MDT 2001 2080921104 762209491
Tue Sep 11 07:00:02 MDT 2001 2081004040 762236422
Tue Sep 11 08:00:02 MDT 2001 2081092032 762671921
Tue Sep 11 09:00:01 MDT 2001 2081803840 766524403

The inbound rate varied between 20KBps and 700KBps per hour, which is typical when I'm not downloading megabytes of updates.

Then today I had ...

Tue Sep 18 05:00:02 MDT 2001 3105372 49058239
Tue Sep 18 06:00:02 MDT 2001 3134960 49077534
Tue Sep 18 07:00:01 MDT 2001 3178517 49201177
Tue Sep 18 08:00:02 MDT 2001 4079754 49870367
Tue Sep 18 09:00:01 MDT 2001 5167540 50723768

Notice that we had 9 megs inbound from 7 to 8 a.m., and 11 megs from 8 to 9. (Later it hit as high as 17 megs for a couple of hours).

Our inbound bandwidth limit is 640 Kbps (or 200 megs/hour), so my earlier estimate of a 20% loss was rather high.

But it _STILL_ is annoying (although strangely satisfying when I utter a Nelson-like "Ha ha" in Microsoft's direction).

Calvin

-- 
Calvin Dodge
Certified Linux Bigot (tm)
http://www.caldodge.fpcc.net

More information about the LUG mailing list