Re: Code Red II at the IETF meeting

Tue, 07 Aug 2001 10:47:16 -0700 

Patrik F�ltstr�m wrote:
> --On 08/07/2001 9:21 AM -0400 Bobby Krupczak <[EMAIL PROTECTED]> wrote:
> 
> 
>>>Well, folks, my packet suckers have shown a Code Red II attack from a 
>>>machine on the IETF meeting net.  It's 217.33.140.38 -- if you have 
>>>that address, you need to disinfect and patch your machine.  For the 
>>>rest of you, be careful...
>>>
>>Do you always snoop on traffic at IETFs?
>>
>>Just curious.  Dont read anything else into my question.
>>
> 
> You don't have to snoop. Just run a webserver on port 80 on your local host
> and look at the virus trying to attack your local laptop.
> 
> I run a local apache, and the logs are full of things like these:
> 
> 217.33.136.83 - - [07/Aug/2001:14:32:44 +0100] "GET
> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc
> bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> HTTP/1.0" 404 271
> 217.33.24.50 - - [07/Aug/2001:14:36:21 +0100] "GET
> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc
> bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> HTTP/1.0" 404 271
> 
>      paf
> 

Well i't my bad luck that I'm missing the meeting perhaps I need to 
invite all the guys(girls are welcome to) for some beer :)

OK back to subject

Yes I must say I just hate these buggers

SetEnvIf Request_URI \.ida$ bugger
CustomLog logs/bugger_log common env=bugger
CustomLog logs/access_log common env=!bugger
CustomLog logs/error_log common env=!bugger

This would fix so the .ida requests don't get in the usual log but in an 
own specific log.
I havn't had the chance to try this but I don't consider my apache box 
on the private 192.168.* a subject to the attacks

And for those ppl who hate "scanners" I recomend:
http://www.thinkgeek.com/stuff/things/38df.html

Good luck with the meetings everyone

/John

-- 
Webgiro AB
---------------------
+46-850640765 Phone
+46-850640701 Fax
+46-733864346 Cellular
RIPE handle: JA4953-RIPE

Reply via email to