Here's the one I used on one server: http://www.digitalcon.ca/nimda/ - this one tries to find the address of the netblock coordinator - more likely to be monitored than a given host.
http://freshmeat.net/search/?q=nimda§ion=projects <- gives 6 results.. Nimda is a better string to search on since Code and Red are pretty common terms :) Best regards, Alfred Werner On Thu, 2 Jan 2003, alfred wrote: > > http://www.onlamp.com/pub/a/apache/2001/08/16/code_red.html > > Freshmeat and Google will turn up a bunch of them .. > > On Thu, 2 Jan 2003, A Page in the Life of ... wrote: > > > -=> From: Betsy Schwartz <[EMAIL PROTECTED]> > > -=> > > -=> That's the Code Red worm which caused so much fuss last year. Won't hurt > > -=> your Unix server any. You may wish to let the scanning address's owner know > > -=> that they're infected though > > > > Has anyone written a log-parser that walks the logs, finds those lines > > (possibly strips them out) and contacts webmaster or the like at the > > originating addresses? Or, being windows boxes, is it likely that they > > didn't set up those addreses, and it would just be frustraiting? > > > > -dkap > > > > -=> At 10:00 AM 1/2/2003 -0500, Dima wrote: > > -=> > > -=> >66.189.100.35 - - [02/Jan/2003:08:08:31 -0500] "GET > > -=> >/scripts/root.exe?/c+dir HTTP/1.0" 404 282 > > -=> >66.189.100.35 - - [02/Jan/2003:08:08:31 -0500] "GET /MSADC/root.exe?/c+dir > > -=> >HTTP/1.0" 404 280 > > -=> > > -=> > > -=> --- > > -=> Send mail for the `bblisa' mailing list to `[EMAIL PROTECTED]'. > > -=> Mail administrative requests to `[EMAIL PROTECTED]'. > > -=> > > > > > > --- > > Send mail for the `bblisa' mailing list to `[EMAIL PROTECTED]'. > > Mail administrative requests to `[EMAIL PROTECTED]'. > > > > > --- > Send mail for the `bblisa' mailing list to `[EMAIL PROTECTED]'. > Mail administrative requests to `[EMAIL PROTECTED]'. > --- Send mail for the `bblisa' mailing list to `[EMAIL PROTECTED]'. Mail administrative requests to `[EMAIL PROTECTED]'.
