On Friday, September 21, 2001, at 12:54 PM, Steve Torrence wrote:
> Is it possible with Perl (or is something else better) to create a script
> that would alert the administrator of a code red type worm that his
> machine was infected. I know os x can not get infected by this but my 4
> webservers are getting hammered by it and my bandwidth is dwindling. I
> know one webserver that has a great way of handling this. It's:
>
> <http://CodeRed.mdg.com>
I saw an article on perl.com or use.perl.com in the last couple of
weeks that detailed a module (Apache::Codered or something like that)
which does much of what mdg's WS4D app does.
Personally, I've taken a mostly isolationist approach. What I've seen
on Nimda says that half the time it chooses IPs which match the first two
octets and an additional quarter match the first octet. By placing a
filter on my router to block anything matching the first octet and
then explicitly allowing ranges within that of legitimate previous
accesses, I've cut the probe rate dramatically.
I'm down from ten or twelve nimda probe runs an hour to one an hour
after applying the filters and lately, the last two were separated by
nearly 23 hours.
-Charles
[EMAIL PROTECTED]
