code red attacks and real-time blackhole'ng

• Previous message: John Campbell: "RE: Recent Increase in Port 139 Activity"
• In reply to: Harlan S. Barney, Jr.: "Re: Recent Increase in Port 139 Activity"
• Next in thread: red0x: "Re: code red attacks and real-time blackhole'ng"
• Next in thread: maggieat_private: "Re: Recent Increase in Port 139 Activity"
• Next in thread: Frank Knobbe: "RE: Recent Increase in Port 139 Activity"
• Reply: red0x: "Re: code red attacks and real-time blackhole'ng"
• Reply: NESTING, DAVID M (SBCSI): "RE: code red attacks and real-time blackhole'ng"
• Reply: Sean Hunter: "Re: code red attacks and real-time blackhole'ng"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

Hi,

some time ago I asked if somebody had any idea how to real-time blackhole
ip-adresses to port 80 with ipchains who try to set off the code red virus
variants.

my idea was as follows:

#!/bin/bash
tail -f /var/log/messages | grep -i "codered" | grep -iv proxy | awk '{print $11}' | awk -F : '{print $1}'| 
ipchains -A input -s i `awk '{print $1}'`/255.255.255.255 -d 0/0 80 -i eth1 -j DENY --protocol tcp

Several problems now occur (for some of you probably trivialities):

1) the above port 80 blocking makes sense if tcp and udp are blocked or is tcp sufficient?

2) when I do a tail -n 1000 instead of the tail -f it ipchains bitches because he gets 1000 (not that many 
ofcourse) ip adresses at once but only wants _1_ argument, not a list.

3) when I do a tail -f nothing happens at all, without the ipchains command no output is generated at all 
even if new entries in /var/log/messages appear, but if I tail -n 1000 /var/log/messages and use the above 
pipes, I get a neat list of IP addresses...

My questions: how can I get 2) to work? and then, how 3)?

Any help would be greatly appreciated.






Florian Piekert                floppy@floppy.{de,org,net}

<simply private... need a key? MY PGPP key? eMail me....>

Voice & Fax +1001000010100101011000110110001010110101100

PGP Public Key Fingerprint: 72E9 D42A 51E8 29CA  EE42 6029 5EF6 E9AB

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies.

iQCVAwUBO5lOYX4TBaVbilM9AQFfpQP+MCMWbR7ayUcFVbrAoeIe8asB+Msklv7J
wd7u8bu0wyhD7h9ZGug65jJeN+ynB2Yx5F8TWKAA36yJUy5v2cBjScIg0O48KOQV
GHWB5Jf+X9vVqjOuid0so0Zb0oVcEFr3cjxQHs7vDo1o2ZsQpiPqK/UpPnERepXr
c6NYpQKo3BY=
=FQU9
-----END PGP SIGNATURE-----



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Next message: maggieat_private: "Re: Recent Increase in Port 139 Activity"
• Previous message: John Campbell: "RE: Recent Increase in Port 139 Activity"
• In reply to: Harlan S. Barney, Jr.: "Re: Recent Increase in Port 139 Activity"
• Next in thread: red0x: "Re: code red attacks and real-time blackhole'ng"
• Next in thread: maggieat_private: "Re: Recent Increase in Port 139 Activity"
• Next in thread: Frank Knobbe: "RE: Recent Increase in Port 139 Activity"
• Reply: red0x: "Re: code red attacks and real-time blackhole'ng"
• Reply: NESTING, DAVID M (SBCSI): "RE: code red attacks and real-time blackhole'ng"
• Reply: Sean Hunter: "Re: code red attacks and real-time blackhole'ng"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 16:49:14 PDT