On Mon, Jan 14, 2002 at 11:14:49AM -0700, Pence, Derek A. wrote: > I've seen it be very successful. Without going into detail, there's a > script out there that spammers seem to be passing > around that automatically formats and submits data to formmail.pl on > remote boxes. Sure enough... it works like a > charm. If you are curious about the script they are using, just attach > a sniffer to your inbound wire and enjoy. I have added the following lines to my webserver (apache) configuration: # ------------------------------------------------------------------------ Alias /cgi-bin/phf /usr/local/etc/webmgmt/apache/security/watch.cgi Alias /cgi-bin/test-cgi /usr/local/etc/webmgmt/apache/security/watch.cgi Alias /cgi-bin/formmail.pl /usr/local/etc/webmgmt/apache/security/watch.cgi Alias /cgi-bin/formmail.cgi /usr/local/etc/webmgmt/apache/security/watch.cgi Alias /cgi-bin/Count.cgi /usr/local/etc/webmgmt/apache/security/watch.cgi Alias /default.ida /usr/local/etc/webmgmt/apache/security/watch.cgi Alias /scripts /usr/local/etc/webmgmt/apache/security/watch.cgi Alias /MSADC /usr/local/etc/webmgmt/apache/security/watch.cgi Alias /msadc /usr/local/etc/webmgmt/apache/security/watch.cgi Alias /_vti_bin /usr/local/etc/webmgmt/apache/security/watch.cgi Alias /_mem_bin /usr/local/etc/webmgmt/apache/security/watch.cgi Alias /c/winnt /usr/local/etc/webmgmt/apache/security/watch.cgi <Directory /usr/local/etc/webmgmt/apache/security> AddHandler cgi-script .cgi </Directory> # ------------------------------------------------------------------------ This aliases the scripts and the Nimda and Code Red exploits to a perl script (watch.cgi). Within this script you can setup email notification (thats what I do) or do anything else you want. That way you have an easy realtime notification instead of parsing logfiles once in a while. Besides the email notification I also trigger another cgi (via watch.cgi) on a central system to have a centralized collection of issues and feed them to a small pseudo database. By having the above configuration in some webservers on our webhosting computers we get a good overall impression about whats going on. \Maex -- SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0 Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299 Stress is when you wake up screaming and you realize you haven't fallen asleep yet. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jan 15 2002 - 15:29:33 PST