[lug] Code Rainbow: New attack, MUCH nastier...
Calvin Dodge
caldodge at fpcc.net
Tue Sep 18 18:23:15 MDT 2001
On Tue, Sep 18, 2001 at 03:11:51PM -0600, Justin wrote:
> I'm just curious as to how you are getting these figures? I noticed
> tons of get request in my apache logs but I'd like to get the cool
> figures like you have ;)
Well, if you are using Red Hat and you're logging web accesses ...
grep -E '(root.exe|winnt)' /var/log/httpd/access_log|head -n 1
This is based on the observed fact that these bogus requests contain either "root.exe" or "winnt".
On my employer's web server, the result was:
216.150.134.3 - - [18/Sep/2001:07:10:53 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 291 "-" "-"
So the first such attempt was at about 7:11 this morning.
Then ...
grep -E '(root.exe|winnt)' /var/log/httpd/access_log|wc -l
(grab all matching lines, then count them)
The result right now is 9920 (after 11 hours of hits).
If you're interested in the bandwidth issue ...
I was already running a primitive script every hour, to count sent/received bytes on our external NIC.
The script looks like this:
#!/bin/sh
line=$(echo $(cat /proc/net/dev|grep eth1));
received=$(echo $line|cut -d ' ' -f 1|cut -d ':' -f 2);
sent=$(echo $line|cut -d ' ' -f 9);
echo $(date) $sent $received >> ~/external_io
So "external_io" gets one new line of data every hour.
Here's a representative chunk from last Tuesday:
Tue Sep 11 05:00:01 MDT 2001 2080902386 762195854
Tue Sep 11 06:00:00 MDT 2001 2080921104 762209491
Tue Sep 11 07:00:02 MDT 2001 2081004040 762236422
Tue Sep 11 08:00:02 MDT 2001 2081092032 762671921
Tue Sep 11 09:00:01 MDT 2001 2081803840 766524403
The inbound rate varied between 20KBps and 700KBps per hour, which is typical when I'm not downloading megabytes of updates.
Then today I had ...
Tue Sep 18 05:00:02 MDT 2001 3105372 49058239
Tue Sep 18 06:00:02 MDT 2001 3134960 49077534
Tue Sep 18 07:00:01 MDT 2001 3178517 49201177
Tue Sep 18 08:00:02 MDT 2001 4079754 49870367
Tue Sep 18 09:00:01 MDT 2001 5167540 50723768
Notice that we had 9 megs inbound from 7 to 8 a.m., and 11 megs from 8 to 9. (Later it hit as high as 17 megs for a couple of hours).
Our inbound bandwidth limit is 640 Kbps (or 200 megs/hour), so my earlier estimate of a 20% loss was rather high.
But it _STILL_ is annoying (although strangely satisfying when I utter a Nelson-like "Ha ha" in Microsoft's direction).
Calvin
--
Calvin Dodge
Certified Linux Bigot (tm)
http://www.caldodge.fpcc.net
More information about the LUG
mailing list