Fun with httpd logs and code red
François Pinard
pinard at iro.umontreal.ca
Mon Aug 20 08:17:00 EDT 2001
[Ignacio Vazquez-Abrams]
> On Sun, 19 Aug 2001, Stephen Boulet wrote:
> > Just for fun, I wrote the following script to check my apache log for
> > recent code red queries: [...] I have a list with 873 entries. Now
> > what do I do with it? ;)
> Certainly the thing NOT to do is to contact the owners of the offending
> sites [...]
I presume you are kidding. The poor fellows probably do not even know
they are infected. I guess you should warn them, in the nearly hopeless
hope that we get a better network after a while.
Now, the real difficulty is notifying 873 people, who often use non-resolved
IP addresses (5 out of 6 in my statistics), or have their anonymity far too
well "protected" by ISPs which could not care less, or do not have a clue.
A saddening experience.
My Python script for handling such attacks is careful to not report more
than once per offending IP, unless attacks continue for more than 4 days
afterwards. Failed DNS resolutions is really the bottleneck of the whole
processing, so I do them within 100 threads, to get more acceptable speed.
There are two next steps for me. First, I would like to find some Apache
trick so a mere referencing of `/default.ida' would trigger the script in
"single-event" mode. Second, and much more importantly, would be to try
being clever at using "whois", because my current MX finder is a bit crude.
For a while, I'm saving information on this matter. Any opinion welcome.
--
François Pinard http://www.iro.umontreal.ca/~pinard
More information about the Python-list
mailing list