CodeRed - simple attacks analyzer

From: Daniel Kiper (dkiperat_private)
Date: Wed Aug 08 2001 - 04:29:40 PDT

Next message: Daniel G. Epstein: "W2K UDP Based DDoS Trojan"

Previous message: Robert: "port 80 and sunrpc (111)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello

First, sorry for my english.

Yestarday I have prepared very very simple script
for CodeRed attacks analyzing. Those script
read error logs (LogLevel warn) from Apache server
(you may set source directory in script - LOG_DIR)
and generate four files in directory "YYYYMMDD"
(you may set destination directory in script - DIR):

cr-attacks.txt - file with full info
ip-date.txt - IP of attacker and date.
              You may send this file to address
              aris-reportat_private
ip.txt - all IPs of attackers (unique)
summary.txt - total attacks and total unique IPs

Below I have attached script with example results.

Tested on Linux Debian 2.1
with apache-ssl 1.3.9.13-3.

Read code and configure for your needs.

If you don't pass parameter all info are
prepared for previous day.

cr-attacks 0 - info for today

cr-attacks 1 - previous day

cr-attacks 10 - ten days ago

I'm waiting for your questions and suggestions.

Daniel Kiper - dkiperat_private

application/x-compressed attachment: cr-attacks.tgz

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

Next message: Daniel G. Epstein: "W2K UDP Based DDoS Trojan"
Previous message: Robert: "port 80 and sunrpc (111)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 08 2001 - 11:05:09 PDT