[aclug-L] Re: Hacker or ??
[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
On 18 Sep 2001 14:34:32 -0500, Steven Saner wrote:
>
> It appears that an infected machine will scan all of the addresses in
> the class A or B netblock that they are in.
yeah, that's correct... i tho't about that as soon as i stepped out the
door! : ^ ) it seems to act the same as CRI/II ... all my hits were
from 2*.*, but most were from 24.* ... so far, all my hits of this new
stuff are from 24.* ... so in otherwords, don't follow my previous
directions unless you're on RR and have a 24.* ip address! : ^ )
anyone bored enuf to write a (i think it would be) simple perl script
that would scan the httpd-access.log file and do an nslookup on all the
IPs associated w/ the ...cmd.exe... request and plop them in a nice
file? would make reporting incidents like this a lot simpler, 'cause
you could see (or atleast be able to guess) which net block owner to
report to...
> Maybe they will expand out
> from there later.
geez, let's hope not!!!
> It also appears that it isn't
> uncommon to be hit several times by a specific host.
yeah, the log entries are very similar to the CRII entries i had, but w/
a different request... and it seems to me like each hit is slightly
different than the other... eg: "GET /scripts/..%252f../...." but the
prev from the same host is "GET /scripts/..%25%35%63../...."
> On one web server
> I have received around 5000 hits from about 150 hosts since 3:00am. It
> really hasn't affected performance much, so I'm not too worried about
> it... yet.
i haven't really noticed it all that much either, but i need to go back
in my logs and actually see when it started... fortunately this time,
i've only got one of my ip's used, so i'm only getting hits on one
machine (thank you NATd!) instead of 2 last time... unless i'm wrong in
my assumption, that should cut the amount of traffic in half, thus
affecting my peformance about 1/2 as much... right?
oh, and btw... sorry for reposting the entire long-@ss thread last time.. was
in a hurry to get to class and forgot to cut out the crap! : ^ )
gLaNDix
-- This is the discussion@xxxxxxxxx list. To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
- [aclug-L] Hacker or ??, Maverick, 2001/09/18
- [aclug-L] Re: Hacker or ??, Joshua S Brown, 2001/09/18
- [aclug-L] Re: Hacker or ??, Steven Saner, 2001/09/18
- [aclug-L] Re: Hacker or ??, Joshua S Brown, 2001/09/18
- [aclug-L] Re: Hacker or ??, gLaNDix (Jesse Kaufman), 2001/09/18
- [aclug-L] Re: Hacker or ??, Joshua S Brown, 2001/09/18
- [aclug-L] Re: Hacker or ??, gLaNDix (Jesse Kaufman), 2001/09/18
- [aclug-L] Re: Hacker or ??, Steven Saner, 2001/09/18
- [aclug-L] Re: Hacker or ??,
gLaNDix (Jesse Kaufman) <=
- [aclug-L] Re: Hacker or ??, Maverick, 2001/09/18
- [aclug-L] Microsoft Worm/Virus (was Re: Hacker or ??), james l, 2001/09/18
- [aclug-L] Re: Hacker or ??, Steven Saner, 2001/09/18
- [aclug-L] Re: Hacker or ??, gLaNDix (Jesse Kaufman), 2001/09/18
- [aclug-L] Re: Hacker or ??, Steven Saner, 2001/09/18
- [aclug-L] Re: Hacker or ??, gLaNDix (Jesse Kaufman), 2001/09/18
- [aclug-L] Re: Hacker or ??, Steven Saner, 2001/09/18
- [aclug-L] Re: Hacker or ??, gLaNDix, 2001/09/19
- [aclug-L] Re: Hacker or ??, gLaNDix (Jesse Kaufman), 2001/09/18
- [aclug-L] Re: Hacker or ??, Joshua S Brown, 2001/09/18
|
|
