[lug] Code Rainbow: New attack, MUCH nastier...
Samartha Deva
blug-receive at mtbwr.net
Wed Sep 19 01:08:24 MDT 2001
(there was one earlier than today in the log, that's why the -n 2 ):
grep -E '(root.exe|cmd.exe|winnt)' /var/log/httpd/*access* | head -n 2
....com-access_log:wi87-210.airturbo.com - - [18/Sep/2001:07:21:39 -0600]
"GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 291
now this should give the total count of hits:
grep -E '(root.exe|cmd.exe|winnt)' /var/log/httpd/*access* | wc
42012 420120 7119486
I got pretty annoyed by that stuff after a while and made the effort to
install snort on the firewall (finally :-) but the resp option enabled on
the relevant
lines still caused traffic.
Interestingly, the vision18.rules from http://www.whitehats.com/ids/
would not contain the strings cmd.exe nor root.exe in their rules but the
standard rules coming with snort had at least the cmd.exe.
Then I made a script to go after tail -f of the alert log, extract the IP
numbers and block the IP's in the firewall. It's not 100 % yet, still
duplicate
blocks of the same IP numbers but at least it's quieter now. I think it is a
timing issue of tail -f, by the time the tail pipes into the script, the first
2 - 10 hits already happened.
Ideal would be to have snort add the rules to ipchains right away. Has anyone
done something like that - maybe the post processor feature of snort can be
used
when an alert with a certain number is triggered?
Samartha
>It is interesting to compare numbers. I have 1613 hits, as of 17:30
>MDT, and the first one came at 7:37 MDT. Interesting that it started
>for us at around the same time. I'm on 208.*.*.*.
>
>Tim
>
>* Calvin Dodge (caldodge at fpcc.net) wrote:
> > On Tue, Sep 18, 2001 at 03:11:51PM -0600, Justin wrote:
> > > I'm just curious as to how you are getting these figures? I noticed
> > > tons of get request in my apache logs but I'd like to get the cool
> > > figures like you have ;)
> >
>--
>==============================================
>== Timothy Klein || teece at silverklein.net ==
>== ---------------------------------------- ==
>== "Hello, World" 17 Errors, 31 Warnings... ==
>==============================================
>_______________________________________________
>Web Page: http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list