Curious HTTP GET commands ...

Drew Taylor drew at drewtaylor.com
Mon Aug 6 00:39:32 EDT 2001 

If you're running mod_perl on a server, someone put together an Apache 
handler to log these accesses and sent email to the MX for the host. I had 
to play with the DNS lookups a little to get things to work properly, but 
it's working fine now. I modified the Code Red analysis script mentioned on 
./ to show the infected hosts attacking me.

All the above code is at http://home.drewtaylor.com/code_red/

At 01:40 AM 8/5/01 +0000, John Chambers wrote:
>--------
>
>Well, what I'd do is look in apache's access_log file, where for example
>I find a line that starts:
>
>207.172.11.232 - - [04/Aug/2001:20:11:27 -0400] "GET 
>/default.ida?XXXXXXXXXXXXXX...
>
>This tells me the IP address that  the  attack  came  from,  and  the
>precise time. A script could look up the address, though it need not,
>since you can use IP addresses in email addresses with most unix-type
>mailers.   You'd  try  to send a message to postmaster at 207.172.11.232
>and/or webmaster at 207.172.11.232 first.   If  those  fail,  you'd  try
>postmaster at 207.172.11.1  and  webmaster at 207.172.11.1, which is almost
>always a locally important machine.  You'd  also  want  to  have  the
>script  leave  a  record  of where it has sent messages, so you don't
>harrass them too often.
>
>Part of the job is already half done, since I have  a  mail  delivery
>program  in  perl, which I wrote so that I could get good information
>about how some email was failing.  I learned a few things about  what
>passes  for SMTP servers these days, of course.  It already knows how
>to make a series of reasonable probes for  alternatives  if  a  first
>attempt  fails, so adding a few more things like this would be pretty
>easy.  All I really need is a wrapper around it that  extracts  lines
>from  the  apache  log  and generates a short message explaining what
>happened. Maybe I'll try it and see if I get any interesting replies.
>
>The biggest problem is that the culprits are mostly MS systems, and a
>lot  of  them probably lack postmaster and webmaster pseudo-users.  I
>wonder what would be some other good guesses for names?
>
>| That's a good idea! Any thoughts on how you would do it?
>|
>| At 12:23 PM 8/4/01 +0000, you wrote:
>| >--------
>| >
>| >| I'm pretty sure that the .ida files are an IIS thing. But I'm not 100%
>| >| sure. I try to stay away from IIS whenever possible. :-)
>| >
>| >OTOH, I'm tempted to write a default.ida script that sends a  message
>| >to the postmaster and webmaster at the source machine, informing them
>| >that someone (possibly Code Red) is  staging  an  attack  from  their
>| >machine.   This  might  help  convince  some of them that they have a
>| >problem, and we know who they are.
>|
>| Drew Taylor
>| mailto:drew at drewtaylor.com
>| http://www.drewtaylor.com/
>|

Drew Taylor
mailto:drew at drewtaylor.com
http://www.drewtaylor.com/

-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).

More information about the Discuss mailing list