Slashdot Mirror

← Back to Domains

Domain: dshield.org

Stories and comments across the archive that link to dshield.org.

Comments · 264

  1. Well by savrinor · · Score: 1 · on Code Redux
    I'm an @home user, and even though running servers is against the TOS for basic @home cable modem, I strongly oppose any measures at blocking port 80 outright. Why? Because I, like a number of people, am using tools to log the code red attempts that come into my machine, and I send my logs to DShield.org. This is important, I believe, for tracking the progress and severity of the worm.

    As somebody suggested for Road Runner, the ISPs should scan for vulnerable IIS servers specifically, and block THEM. @Home certainly has the ability... My logs show dozens of scans and security checks by them every day, so a Code Red-oriented scan probably wouldn't be much more of a stretch for their security systems.

    Just my 2 cents.

  2. Re:Repository of infected IP addressen by BMIComp · · Score: 2 · on Code Red II: Shells for the Taking

    Well, right now a lot of people are sending their logs to Dshield, who then notify the owners of the infected machines. grep default.ida access_log* | mail -s 'APACHE' redalert@dshield.org

  3. Some Individual Forensics by VB · · Score: 1 · on Code Red II: Shells for the Taking


    Are here.

    Frustrated by the lack of any current stats on this from DShield, or Incidents short of the update on the 4th, I collected some stats that might give some indication of where this thing is going. Peak times at 1300 and 1400 MST. Not sure what this means, but seems consistent.

  4. Re:Help track this: submit your logs to dshield! by mutende · · Score: 1 · on Code Red II: Shells for the Taking
    Too bad they don't take snort logs.

    Please let me quote from DShield's Linux Clients page:

    "If you are using Snort, download dshield_snort.pl. or the snort portscan format client: snort_portscan.pl"
  5. Re:Help track this: submit your logs to dshield! by mutende · · Score: 1 · on Code Red II: Shells for the Taking
    Too bad they don't take snort logs.

    Please let me quote from DShield's Linux Clients page:

    "If you are using Snort, download dshield_snort.pl. or the snort portscan format client: snort_portscan.pl"
  6. Re:Help track this: submit your logs to dshield! by LeBleu · · Score: 1 · on Code Red II: Shells for the Taking

    Take a look at http://www.dshield.org/howto.html, it says how to submit snort logs.

  7. Re:Help track this: submit your logs to dshield! by Anonymous Coward · · Score: 1, Interesting · on Code Red II: Shells for the Taking

    Does anyone else find it ironic that vunerabilities.org, a security scanning site, is listed in the top ten attackers on dshield.org? At least, it is listed as of 16:45 EDT.

  8. Help track this: submit your logs to dshield! by mjh · · Score: 5, Informative · on Code Red II: Shells for the Taking
    You might want to consider submitting your apache logs to dshield. This will help keep track of the extent of this problem as well as help to analyze where it may have originated. If the dshield folks can correlate the earliest attacks of the latest variant, they have a chance at finding where this thing originated.

    Submissions can be made by following these instructions.

  9. Re:It's certainly more ambitious... by baptiste · · Score: 2 · on Code Red Back For More
    Well, many organziations are doing this automagically. All they want is your logs.

    DShield has a system setup. Just execute this command if you run Apache in your log directory:

    grep 'default.ida' access_log* | mail -s 'APACHE' redalert@dshield.org

    THis way they can identify all teh compromised hosts and contact the owners.

    The ARIS team @ SecurityFocus is doing something similar

  10. Re:logs by Saint+Aardvark · · Score: 2 · on Code Red Back For More
    I've said it before, I'll say it again:

    Mail those logs!

    From http://dshield.org/codered.html:

    As you have probably heard, the Code Red worm has infected over 100,000 machines running Microsoft IIS, and the total is rising. We need to identify the infected machines so that the owners of these machines can be notified so that they can be fixed. We are appealing to DShield submitters to do a special one time only submission for log entries that contains this information.

    Linux and other *NIX users Can do this by changing to the directory where your web server logs are located and executing a script like this:

    grep 'default.ida?NNNNN' access_log | mail -s 'APACHE' redalert@dshield.org

  11. Re:An observation... by Saint+Aardvark · · Score: 4, Informative · on Code Red Reporting That Doesn't Suck
    Hey, folks -- mail those logs!

    From http://dshield.org/codered.html:

    As you have probably heard, the Code Red worm has infected over 100,000 machines running Microsoft IIS, and the total is rising. We need to identify the infected machines so that the owners of these machines can be notified so that they can be fixed. We are appealing to DShield submitters to do a special one time only submission for log entries that contains this information.

    Linux and other *NIX users Can do this by changing to the directory where your web server logs are located and executing a script like this:

    grep 'default.ida?NNNNN' access_log | mail -s 'APACHE' redalert@dshield.org

  12. Another site with real time stats..... by baptiste · · Score: 2 · on Code Red Goes The Way Of Y2K
    Incidents.org is major hosed (ie slashdotted)

    Dshield.org has some stats going too. Looks like 23,400 infections as of around 10AM EDT....

  13. distributed intrusion detection system by faithhopeandcharity · · Score: 1 · on Attack Registry And Intelligence Service

    another site that is related...but not as full featured is this

  14. Re:I'll toss in $5 by jullrich · · Score: 1 · on New Security Group Hedges Bets And Builds Hedges

    No need to spend bucks. Just join DShield.org