Complete.Org: Mailing Lists: Archives: discussion: September 2001:
[aclug-L] Re: Hacker or ??

[aclug-L] Re: Hacker or ??

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]

To:	discussion@xxxxxxxxx
Subject:	[aclug-L] Re: Hacker or ??
From:	Jeff Vian <jvian10@xxxxxxxx>
Date:	Thu, 20 Sep 2001 12:25:25 -0500
Reply-to:	discussion@xxxxxxxxx

1.  save the script to an (executable) file in your favorite directory.
2.  use "crontab -e" to edit the crontab for your user (should be root
here) and make an entry to run the script.

For information on cron and crontab use the man pages.



Maverick wrote:
> 
> Thanks, that is pretty helpful, but how can I set a
> cron job that run this script once every hour?
> 
> Mav
> --- Jeff Vian <jvian10@xxxxxxxx> wrote:
> >
> > I just posted a script from Linux Journal that will
> > let ip chains block
> > this attack.
> > It appears to be the new Nimba worm
> >
> > The script text is below
> >
> >
> >
> >
> > Tech Tip
> >
> >    The  Linux  Journal web site, like others, is
> > getting a lot of
> > traffic
> >    from  the  Windows worm du jour. Here's the cron
> > job our sysadmin
> > team
> >    is using to block them from our Apache-based
> > site.
> >
> > #!/bin/sh
> > #
> > # Block sites which originate Nimba queries from
> > Apache server
> > # Apache must be configured with HostnameLookups Off
> >
> > LOGS=/var/log/httpd
> >
> > cd $LOGS
> >
> > grep '^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]* ' *
> > 2>/dev/null |
> > awk '/system32\/cmd\.exe/ {sub(/[^:]*:/,"");print
> > $1}' |
> > sort -u |
> > while read host
> > do
> > if ! fgrep $host /var/tmp/blocked >/dev/null
> > then
> > echo $host >>/var/tmp/blocked
> > /sbin/ipchains -I input -s $host -j DENY -l
> > fi
> > done
> >
> >
> >
> >
> >
> >
> >
> > Steven Saner wrote:
> > >
> > > Appears that this is the worm that Glandix
> > reported. I got the
> > > readme.exe email this morning as well. It was made
> > to appear like a
> > > bounce back message from someplace.
> > >
> > > Steve
> > >
> > > On Tue, Sep 18, 2001 at 12:49:24PM -0500, Joshua S
> > Brown wrote:
> > > >
> > > > We are having the same problem on all our web
> > servers. Is this a hack or
> > > > something like code red?
> > > >
> > > >
> > > > Josh Brown
> > > >
> > > > On Tue, 18 Sep 2001, Maverick wrote:
> > > >
> > > > >
> > > > > Hi, all
> > > > >  Recently I check on my apache webserver
> > access.log
> > > > > and find out a lot of entrie like this:
> > > > > 24.254.90.73 - - [18/Sep/2001:10:44:38 -0700]
> > "GET
> > > > > /scripts/..%c0%af../winnt/sys
> > > > > tem32/cmd.exe?/c+dir HTTP/1.0" 404 231
> > > > > 24.254.90.73 - - [18/Sep/2001:10:44:39 -0700]
> > "GET
> > > > > /scripts/..%%35%63../winnt/sy
> > > > > stem32/cmd.exe?/c+dir HTTP/1.0" 400 215
> > > > > 24.254.90.73 - - [18/Sep/2001:10:44:41 -0700]
> > "GET
> > > > > /scripts/..%%35c../winnt/syst
> > > > > em32/cmd.exe?/c+dir HTTP/1.0" 400 215
> > > > > 24.254.90.73 - - [18/Sep/2001:10:44:43 -0700]
> > "GET
> > > > > /scripts/..%c1%9c../winnt/sys
> > > > > tem32/cmd.exe?/c+dir HTTP/1.0" 404 231
> > > > > .....
> > > > >
> > > > > Is that someone try to access my
> > /var/www/scripts/?
> > > > > and my error.log generate something like
> > this..
> > > > > Tue Sep 18 10:52:27 2001] [error] [client
> > > > > 24.234.20.197] File does not exist: /
> > > > > var/www/c/winnt/system32/cmd.exe
> > > > > [Tue Sep 18 10:52:28 2001] [error] [client
> > > > > 24.234.20.197] File does not exist: /
> > > > > var/www/d/winnt/system32/cmd.exe
> > > > > ....
> > > > >
> > > > > anyone have any idea? or did I set something
> > wrong?
> > > > > or really have a hacker knocking on my door?
> > > > >
> > > > > Thanks.
> > > > > Mav
> > > > >
> > > > >
> > __________________________________________________
> > > > > Terrorist Attacks on U.S. - How can you help?
> > > > > Donate cash, emergency relief information
> > > > >
> >
> http://dailynews.yahoo.com/fc/US/Emergency_Information/
> > > > > -- This is the discussion@xxxxxxxxx list.  To
> > unsubscribe,
> > > > > visit
> >
> http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
> > > > >
> > > >
> > > >
> > > > -- This is the discussion@xxxxxxxxx list.  To
> > unsubscribe,
> > > > visit
> >
> http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
> > > -- This is the discussion@xxxxxxxxx list.  To
> > unsubscribe,
> > > visit
> >
> http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
> > -- This is the discussion@xxxxxxxxx list.  To
> > unsubscribe,
> > visit
> >
> http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
> >
> 
> __________________________________________________
> Terrorist Attacks on U.S. - How can you help?
> Donate cash, emergency relief information
> http://dailynews.yahoo.com/fc/US/Emergency_Information/
> -- This is the discussion@xxxxxxxxx list.  To unsubscribe,
> visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi

[Prev in Thread]

Current Thread

[Next in Thread]

[aclug-L] Re: Hacker or ??, (continued)
- [aclug-L] Re: Hacker or ??, Ryan Hunt, 2001/09/18
  - [aclug-L] Re: Hacker or ??, Maverick, 2001/09/18

Prev by Date: [aclug-L] Re: Hacker or ??
Next by Date: [aclug-L] Re: ComputerSurplus
Previous by thread: [aclug-L] Re: Hacker or ??
Next by thread: [aclug-L] Re: Hacker or ??
Index(es):
- Date
- Thread