[linux-help] Re: new Nimba worm help.
[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
If you looked at the script I included, the list of IPs blocked is saved
in /var/tmp/blocked.
Thus you already have a (unique) list of IPs that are infected if you
use this script or one with similar logic.
AND the list in this file is not limited to those addresses you find by
greping for "65."
Even if all you wanted was a list of IP addresses affected, the script I
sent would work. Just remove the part of the line that writes the rule
to ipchains and the rest of it will generate a unique list for you.
james l wrote:
>
> Root/Great Overall Dictator replies:
> > I don't use bsd, but whatever the command line would be for adding a new
> > rule for the filter would work. The only key here is the use of the
> > variable host to get the ip address to add into the new filter rule.
> >
>
> Might be useful for those of us with firewalls (fraizierwall, but should work
> with any ipchains log), to find out who is infected (at least those who
> haven't already done this :)
>
> grep 80 firewall.005.log | grep 65. | cut -f 9 -d ' ort | cut -f 1 -d ':' |
> uniq
>
> (output can be redirected to a file with > $FILENAME, and
> firewall.005.log needs to be changed to whatever the file you have the log in
> is, sorry about kmail's wrapping)
>
> I myself don't know RR's abuse email. I have found 41 ips within 65.*.*.*
> Does anyone know RR's IP range?
>
> James L
>
> -- This is the linux-help@xxxxxxxxx list. To unsubscribe,
> visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
-- This is the linux-help@xxxxxxxxx list. To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
|
|