At 09:53 AM 7/20/2001, you wrote:
>On Fri, 20 Jul 2001 09:00:44 +0200, Andre Bonhote mumbled something
>like:
> >>Sorry to be teacherish, but why the two pipes? I mean
> >>grep '\.ida' /var/log/httpd/access | wc -l
> >>does the job. Just quote the period and it's not a regexp anymore.
>
>Don't apologize for being teacherish; it helps!
>I piped it twice because Shimi piped it twice, and to be honest I
>didn't know it could be written the way that you did it. I thought
>that to look through a file you had to 'cat' or 'head' the file and
>pipe the output through grep.
>*sheepish look*
>I know now, though! Thank you!
>
> >>Where's the problem? I mean, 247 hits, in a not mentioned timespan
> >>nothing new, right? We don't run Winslows boxes, so we don't have
> >>to
> >>care. Tell me when I am completely wrong there.
>
>Well from reading some of the URLs posted, I learned that infected
>boxes start scanning the same first IP and then generate a set of
>random IPs to scan based off of that one. For each instance of the
>worm the infected machine runs 9 threads (10 if it's not an english
>machine) looking to infect other machines, and many machines end up
>scanning the same IPs over and over. They re-infect each other,
>causing more instances of the worm and threads...scanning the same
>IPs...
Actually I think the articles say they run 100 threads and that number 100
is reserved to see if the machine uses the English (US) language. If not
then that one tries to find other machines also.
It also does not say this will all stop after the 20th. It says after the
20th it will try and contact the old Whitehouse IP address and if it
connects it will do it's thing. Thus when we get to the 1st of August this
may all start again.
>And it just means a major rise in hits to our servers if we get into
>the random IP generation. These wasted hits will skyrocket our
>bandwidth and could (if there were enough of them) effectively
>provide a denial of service to our machines simply from the mass
>traffic. I realized, after I wrote that, that the 247 hits was from
>the entire day (since I was looking through the access log that had
>been flushed out at 4:01 am) rather than just one hour, which was my
>original thought process.
The random IP generator seemed to always start with the same IPs before
really becoming random. The thought process here is that maybe the
originator of the worm was one of them and could see just how many machines
had been infected. The fact that it started to grow was not unusal. It is
just a factorial. 5 machines each get 5 which each get 5 which get 5, you
know 5*5*5*5 etc you know it goes from 5 to 25 to 125 to 625 to 3125 to
15625 and it gets bigger faster. It appears that eEye only started getting
hit on Friday the 13th and it grew from there. They say about 500,000
tries per day and 196,000 infected by 3pm on the 19th of July
>So no, you're right, 247 wasted hits in one day (compared to one
>hour) isn't much; but I worry because my IPs are getting into that
>random generation. When someone sees what a failure the attack was on
>whitehouse.gov (aiming directly for the IP rather than the FQDN
>itself) they'll re-write it and make it better - already have, I
>think, since the # of infected machines jumped massively between 4am
>and noon yesterday - and so I worry that next month when this
>rewritten thing rolls around again, I'm going to be offline simply
>from wasted requests from infected machines - an effective denial of
>service.
>
>Am I off-base here, worrying too much?
247 for the day is not too bad, but how many IP addresses do you have on
the machine. If you only have one you are better off. The more IPs you
have on a machine, the more impact you will feel. If you had a block of
say only 128 IPs, you would be around 32000, boy is this making your log
files grow.
And for those who have not read about it being found and taken apart
http://www.eeye.com/html/Research/Advisories/AL20010717.html
_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security
