On Fri, 21 Sep 2001, Andrew Blevins wrote: > Still getting attempts over here, but only about three to five a > second, instead of 70. We're on the 209.242 block. it continues unabated here. the only slowdowns we have been seeing are due to the filters we're putting in place and the fact that people are (slowly) cleaning their damned systems up. for instance, on our local network (129.22/16) we're filtering identified infected machines at the nearest subnet router. this has dramatically lowered the total number of hits on servers in any one subnet. for instance, today by this time (1pm GMT-5) we're down from 33 uniq hosts in the past three days to 4 so far today, only two of which are local machines. here's a small script for apache machines to identify the hosts on your network which are nimda infected. tailor the "tail -NNNN" to suit your site's hitrate, and it assumes the default apache logfile format. #!/bin/sh # # run me in your apache logfile directory # jose nazario joseat_private 21sep01 # for i in `tail -20000 access_log | grep \.exe | awk '{print $1}' | sort |\ uniq` do TIME=`grep $i access_log | tail -1 | awk '{print $4" "$5}'` echo $i" "$TIME done this will spit out answers in this form: 192.168.1.45 [21/Sep/2001:06:39:59 -0400] hope this helps some of you. ____________________________ jose nazario joseat_private PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Sep 21 2001 - 11:24:42 PDT