Security Incidents mailing list archives
RE: Yet Another Nimda Thread (YANT)
From: Jose Nazario <jose () biocserver BIOC cwru edu>
Date: Fri, 21 Sep 2001 14:22:52 -0400 (EDT)
On Fri, 21 Sep 2001, Andrew Blevins wrote:
Still getting attempts over here, but only about three to five a second, instead of 70. We're on the 209.242 block.
it continues unabated here. the only slowdowns we have been seeing are due to the filters we're putting in place and the fact that people are (slowly) cleaning their damned systems up. for instance, on our local network (129.22/16) we're filtering identified infected machines at the nearest subnet router. this has dramatically lowered the total number of hits on servers in any one subnet. for instance, today by this time (1pm GMT-5) we're down from 33 uniq hosts in the past three days to 4 so far today, only two of which are local machines. here's a small script for apache machines to identify the hosts on your network which are nimda infected. tailor the "tail -NNNN" to suit your site's hitrate, and it assumes the default apache logfile format. #!/bin/sh # # run me in your apache logfile directory # jose nazario jose () cwru edu 21sep01 # for i in `tail -20000 access_log | grep \.exe | awk '{print $1}' | sort |\ uniq` do TIME=`grep $i access_log | tail -1 | awk '{print $4" "$5}'` echo $i" "$TIME done this will spit out answers in this form: 192.168.1.45 [21/Sep/2001:06:39:59 -0400] hope this helps some of you. ____________________________ jose nazario jose () cwru edu PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Yet Another Nimda Thread (YANT) Portnoy, Gary (Sep 21)
- Re: Yet Another Nimda Thread (YANT) Midnight Ryder (Sep 21)
- Re: Yet Another Nimda Thread (YANT) hvdkooij (Sep 21)
- Re: Yet Another Nimda Thread (YANT) Bryan Andersen (Sep 21)
- Re: Yet Another Nimda Thread (YANT) Tracey Losco (Sep 21)
- Re: Yet Another Nimda Thread (YANT) Florian Weimer (Sep 21)
- <Possible follow-ups>
- RE: Yet Another Nimda Thread (YANT) Andrew Blevins (Sep 21)
- RE: Yet Another Nimda Thread (YANT) Jose Nazario (Sep 21)
- Re: Yet Another Nimda Thread (YANT) Mike Lewinski (Sep 21)
- RE: Yet Another Nimda Thread (YANT) Robert Nieuwhof (Sep 21)
- Re: Yet Another Nimda Thread (YANT) Bryan Andersen (Sep 23)