[aclug-L] Re: Hacker or ??
[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
It does help if you have IPs on a machine that aren't being used to remove
them from that machine. Does cut down on the requests to that machine.
Josh Brown
On 18 Sep 2001, gLaNDix (Jesse Kaufman) wrote:
>
> On 18 Sep 2001 14:34:32 -0500, Steven Saner wrote:
> >
> > It appears that an infected machine will scan all of the addresses in
> > the class A or B netblock that they are in.
>
> yeah, that's correct... i tho't about that as soon as i stepped out the
> door! : ^ ) it seems to act the same as CRI/II ... all my hits were
> from 2*.*, but most were from 24.* ... so far, all my hits of this new
> stuff are from 24.* ... so in otherwords, don't follow my previous
> directions unless you're on RR and have a 24.* ip address! : ^ )
>
> anyone bored enuf to write a (i think it would be) simple perl script
> that would scan the httpd-access.log file and do an nslookup on all the
> IPs associated w/ the ...cmd.exe... request and plop them in a nice
> file? would make reporting incidents like this a lot simpler, 'cause
> you could see (or atleast be able to guess) which net block owner to
> report to...
>
> > Maybe they will expand out
> > from there later.
>
> geez, let's hope not!!!
>
> > It also appears that it isn't
> > uncommon to be hit several times by a specific host.
>
> yeah, the log entries are very similar to the CRII entries i had, but w/
> a different request... and it seems to me like each hit is slightly
> different than the other... eg: "GET /scripts/..%252f../...." but the
> prev from the same host is "GET /scripts/..%25%35%63../...."
>
> > On one web server
> > I have received around 5000 hits from about 150 hosts since 3:00am. It
> > really hasn't affected performance much, so I'm not too worried about
> > it... yet.
>
> i haven't really noticed it all that much either, but i need to go back
> in my logs and actually see when it started... fortunately this time,
> i've only got one of my ip's used, so i'm only getting hits on one
> machine (thank you NATd!) instead of 2 last time... unless i'm wrong in
> my assumption, that should cut the amount of traffic in half, thus
> affecting my peformance about 1/2 as much... right?
>
> oh, and btw... sorry for reposting the entire long-@ss thread last time.. was
> in a hurry to get to class and forgot to cut out the crap! : ^ )
>
> gLaNDix
>
> -- This is the discussion@xxxxxxxxx list. To unsubscribe,
> visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
>
>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<
Joshua Brown
Administration / Web Development
WebSurf Internet Services
www.websurf.net
316-945-7873 or 877-329-1671 (toll-free)
>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<
-- This is the discussion@xxxxxxxxx list. To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
- [aclug-L] Re: Hacker or ??, (continued)
- [aclug-L] Re: Hacker or ??, Steven Saner, 2001/09/18
- [aclug-L] Re: Hacker or ??, gLaNDix (Jesse Kaufman), 2001/09/18
- [aclug-L] Re: Hacker or ??, Steven Saner, 2001/09/18
- [aclug-L] Re: Hacker or ??, gLaNDix (Jesse Kaufman), 2001/09/18
- [aclug-L] Re: Hacker or ??, Steven Saner, 2001/09/18
- [aclug-L] Re: Hacker or ??, gLaNDix, 2001/09/19
- [aclug-L] Re: Hacker or ??, gLaNDix (Jesse Kaufman), 2001/09/18
- [aclug-L] Re: Hacker or ??,
Joshua S Brown <=
- [aclug-L] Re: Hacker or ??, gLaNDix (Jesse Kaufman), 2001/09/18
- [aclug-L] Re: Hacker or ??, gLaNDix (Jesse Kaufman), 2001/09/18
- [aclug-L] Re: Hacker or ??, Jeff Vian, 2001/09/19
- [aclug-L] Re: Hacker or ??, Maverick, 2001/09/20
- [aclug-L] Re: Hacker or ??, gLaNDix, 2001/09/20
- [aclug-L] Re: Hacker or ??, Jeff Vian, 2001/09/20
[aclug-L] Re: Hacker or ??, Maverick, 2001/09/19
|
|
