Crap, you're right....my bad. It's late and I should go to bed, but there's a horrible fascination in watching the comments roll in and seeing what this is doing...
As you have probably heard, the Code Red worm has infected over
100,000 machines running Microsoft IIS, and the total is rising. We
need to identify the infected machines so that the owners of these
machines can be notified so that they can be fixed. We are appealing
to DShield submitters to do a special one time only submission for log
entries that contains this information.
Linux and other *NIX users Can do this by changing to the directory
where your web server logs are located and executing a script like
this:
grep 'default.ida?NNNNN' access_log | mail -s 'APACHE'
redalert@dshield.org
Lots of arp who-has? I've been getting that here at 216. too...deliberately started up apache just to have something to catch the attemps, but nothing yet -- just all those damn arps. Makes for boring tcpdump watching, that's for sure...
Fuck me...read a little farther down where it says that, based on random scans of the 359k IP addresses infected last time 'round, they estimate that thirty percent are still infected!
What the fuck? What the fuck is going on? How the fuck is it that I can have old ladies calling me up at work (tech support for an ISP) and asking if the reason they can't pick up their email is because of the Code Red worm, 'cos they saw the press conference and, hey, they're wondering, and something like 105,000 separate IP addresses are still infected? Did the rapture happen when I wasn't looking, and God took the people responsible for these computers, those left behind couldn't find the passwords anywhere? How is this possible?
(I know, I know; not everyone lives w/in viewing distance of CNN, default installations of MS whatever -- but still, this absolutely amazes me.)
As you have
probably heard, the Code Red worm has infected over 100,000 machines
running Microsoft IIS, and the total is rising. We need to identify
the infected machines so that the owners of these machines can be
notified so that they can be fixed. We are appealing to DShield
submitters to do a special one time only submission for log entries
that contains this information.
Linux and other *NIX users Can do this by changing to the directory where your web server logs are located and executing a script like this:
grep 'default.ida?NNNNN' access_log | mail -s 'APACHE' redalert@dshield.org
Mmm...IIRC, the worm is memory-resident -- so while installing the patch doesn't require a reboot, you do need to take it down if you *have* been infected in order to clear it out of memory.
But I could be wrong. Hell, I remember the last time that happened. I believe it was a Thursday...
I'm only 29, but I've used them before. Read on, and hear a tale of wonder and woe...
When I was growing up, I had a set of encyclopedias that had been my mom's when she was growing up. It was called Our Wonderful World, and was published in 1953 or so. (If anyone knows where to get a set, leave a note -- my parents sold them...grr.) It was a great set of books, but the technology was pretty out of date. Between that and the old, old selection of books on science in the libraries of the towns I grew up in, I was forever frustrated that I couldn't find a Foobly67
vacuum tube to build a radio with.
One of the things I read about was how to use a slide rule; that and all the slipstick references (paging Dr. Freud!) in Heinlein made me lust after one. But where the hell to get them?
I ended making my own. Of course, I didn't know carpentry, so I made it from two strips of paper that I had carefully marked out on a sorta-logarithmic scale. It worked pretty well, considering that I guessed at where numbers like 3 and 5 should end up -- I was able to multiply 2 and 3 and come up with 6.3.
This was in high school, and a math teacher saw me demonstrating how to use a slide rule to (vastly interested, I'm sure) friends. He took pity on me, and gave me a couple that he had from the dark days before cheap Taiwanese pocket-sized calculators. I also got a copy of the manual that came with one of them -- they were complicated things! -- and learned about how to do roots, cube roots, sines and cosines. I got relatively accomplished (relatively meaning that any competition was at least ten hours drive away), and used it to discover a wonderful proof of Fermat's last theorem; unfortunately, my pen wouldn't write on the plastic of the slide rule and so it was lost.
I haven't got one now, but this makes me want to check out Ebay and get one. If Heinlein has taught me anything, it's "Keep It In The Family"^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H"Keep Your Slipstick Handy" -- you never know when civilization will collapse around you.
Re:Make a decision, folks
on
ORBS Forks
·
· Score: 2
Bingo. If you've got nothing to hide, why send it from Korea? Why fake all the headers? Why make it so hard to figure out who sent you the message, and how it got to you in the first place,
if you want my business? Because you're breaking any number of points in the AUP of any half-decent ISP, that's why, and because you KNOW it.
I'm with you on this. I work for a small/mid-sized ISP, and one of the things I do is keep track of the procmail filter we run on incoming messages. Some random bit of info & thoughts:
We catch, on average, something like 200 messages per hour; that works out to about 30k-35k messages per week. Check out the latest results here (http://selenium.dowco.com/spam/spam.html for the goatse.cx paranoid).
Our customers have 56k modems or slower, and they're not terribly clueful for the most part (then again, I work on the help desk, so that's all I see). So not only does it take up time while the meter's ticking to download it, there's a significant chunk of them that don't understand that spam is, unfortunately, epidemic on the net, or that spammers won't remove their names, or that they're hawking pyramid schemes that just won't work. Add to that a call every now and then from someone genuinely upset and offended about pr0n spam, and it makes for an interesting time talking them down from the ledge...
Upshot is that spam costs us the isp, and them the customer, a lot to deal with the crap that keeps flooding in. You shouldn't have to be paranoid about handing out your email address on the net, or posting it in plain sight, for fear that you'll be hacking your way through MAKE MONEY NOW for the rest of your email address' life.
Remember that scene in Futurama where Fry goes on the Virtual Reality Net of the Future, and they get dive-bombed by spam messages and have to take cover? That's no kind of net that I want to have, or to have to deal with, and I don't think it should be up to the customer or the ISP to pay to read crap.
But I agree: doing something just to see how to do it is important. Sometimes you need to reinvent the wheel just so you can see how someone ever came across the whole idea of "round" in the first place.
Hm...fair point, but I was thinking more about the programming side of thing...not necessarily the same as what you're mentioning.
It's all well and good to say don't reinvent the wheel, or read the howtos, but how do you get to learn about not only how to do something but all the pitfalls in doing so other than by doing the thing yourself and by screwing up in the process?
It's not me...you really are that drunk, right? I don't want to be gratuitously insulting, but not a lot of what you say makes sense. If I'm missing something, please explain it to me.
If your attacker is
sniffing packets on your local area network you have bigger problems
than the fact that they might eavesdrop on your X session.
Excellent point. However -- and this is a broader point than merely this article -- I wanted to learn how to do this sort of thing. There's a constant urging in Unix circles not to reinvent the wheel -- yet how do you ever learn to do something other than by trying to reinvent the wheel?
Slashdot Mirror
I suspect that mainly it's cos 1) this is a pretty UNIX-heavy forum, and 2) grepping logs and such is easier/more common in Unix than in MSLand.
LOL...got me, I admit it. Nice one.
grep ida /foo/bar/log | awk '{print $1}' | sort | uniq |\
awk '{print "<a href=\"http://" $1 "\">" $1 "</a><br>"}'
grep ida /foo/bar/log | awk '{print $1}' | sort | uniq |\
awk '{print "" $1 "
"}'
So 3133t it hurts...
Crap, you're right....my bad. It's late and I should go to bed, but there's a horrible fascination in watching the comments roll in and seeing what this is doing...
Holiday weekend here in Canada...one more day of this. Oh boy.
Cancel my above comments -- in the twenty minutes since starting up Apache, I've logged 7 unique IPs all in 216., all CRII.
Mail those logs!
From http://dshield.org/codered.html:
As you have probably heard, the Code Red worm has infected over 100,000 machines running Microsoft IIS, and the total is rising. We need to identify the infected machines so that the owners of these machines can be notified so that they can be fixed. We are appealing to DShield submitters to do a special one time only submission for log entries that contains this information.
Linux and other *NIX users Can do this by changing to the directory where your web server logs are located and executing a script like this:
grep 'default.ida?NNNNN' access_log | mail -s 'APACHE' redalert@dshield.org
Lots of arp who-has? I've been getting that here at 216. too...deliberately started up apache just to have something to catch the attemps, but nothing yet -- just all those damn arps. Makes for boring tcpdump watching, that's for sure...
What the fuck? What the fuck is going on? How the fuck is it that I can have old ladies calling me up at work (tech support for an ISP) and asking if the reason they can't pick up their email is because of the Code Red worm, 'cos they saw the press conference and, hey, they're wondering, and something like 105,000 separate IP addresses are still infected? Did the rapture happen when I wasn't looking, and God took the people responsible for these computers, those left behind couldn't find the passwords anywhere? How is this possible?
(I know, I know; not everyone lives w/in viewing distance of CNN, default installations of MS whatever -- but still, this absolutely amazes me.)
From http://dshield.org/codered.html:
As you have probably heard, the Code Red worm has infected over 100,000 machines running Microsoft IIS, and the total is rising. We need to identify the infected machines so that the owners of these machines can be notified so that they can be fixed. We are appealing to DShield submitters to do a special one time only submission for log entries that contains this information.
Linux and other *NIX users Can do this by changing to the directory where your web server logs are located and executing a script like this:
grep 'default.ida?NNNNN' access_log | mail -s 'APACHE' redalert@dshield.org
"Unnecessary zoom!!! Unnecessary zoom!!!"
But I could be wrong. Hell, I remember the last time that happened. I believe it was a Thursday...
Fuck me...just checked my little 486 playpen box here and it's the same. Fortunately it's Apache on Linux....scary.
When I was growing up, I had a set of encyclopedias that had been my mom's when she was growing up. It was called Our Wonderful World, and was published in 1953 or so. (If anyone knows where to get a set, leave a note -- my parents sold them...grr.) It was a great set of books, but the technology was pretty out of date. Between that and the old, old selection of books on science in the libraries of the towns I grew up in, I was forever frustrated that I couldn't find a Foobly67 vacuum tube to build a radio with.
One of the things I read about was how to use a slide rule; that and all the slipstick references (paging Dr. Freud!) in Heinlein made me lust after one. But where the hell to get them?
I ended making my own. Of course, I didn't know carpentry, so I made it from two strips of paper that I had carefully marked out on a sorta-logarithmic scale. It worked pretty well, considering that I guessed at where numbers like 3 and 5 should end up -- I was able to multiply 2 and 3 and come up with 6.3.
This was in high school, and a math teacher saw me demonstrating how to use a slide rule to (vastly interested, I'm sure) friends. He took pity on me, and gave me a couple that he had from the dark days before cheap Taiwanese pocket-sized calculators. I also got a copy of the manual that came with one of them -- they were complicated things! -- and learned about how to do roots, cube roots, sines and cosines. I got relatively accomplished (relatively meaning that any competition was at least ten hours drive away), and used it to discover a wonderful proof of Fermat's last theorem; unfortunately, my pen wouldn't write on the plastic of the slide rule and so it was lost.
I haven't got one now, but this makes me want to check out Ebay and get one. If Heinlein has taught me anything, it's "Keep It In The Family"^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H"Keep Your Slipstick Handy" -- you never know when civilization will collapse around you.
LOL...ah, mercy.
Bingo. If you've got nothing to hide, why send it from Korea? Why fake all the headers? Why make it so hard to figure out who sent you the message, and how it got to you in the first place, if you want my business? Because you're breaking any number of points in the AUP of any half-decent ISP, that's why, and because you KNOW it.
- We catch, on average, something like 200 messages per hour; that works out to about 30k-35k messages per week. Check out the latest results here (http://selenium.dowco.com/spam/spam.html for the goatse.cx paranoid).
- Our customers have 56k modems or slower, and they're not terribly clueful for the most part (then again, I work on the help desk, so that's all I see). So not only does it take up time while the meter's ticking to download it, there's a significant chunk of them that don't understand that spam is, unfortunately, epidemic on the net, or that spammers won't remove their names, or that they're hawking pyramid schemes that just won't work. Add to that a call every now and then from someone genuinely upset and offended about pr0n spam, and it makes for an interesting time talking them down from the ledge...
- Upshot is that spam costs us the isp, and them the customer, a lot to deal with the crap that keeps flooding in. You shouldn't have to be paranoid about handing out your email address on the net, or posting it in plain sight, for fear that you'll be hacking your way through MAKE MONEY NOW for the rest of your email address' life.
- Remember that scene in Futurama where Fry goes on the Virtual Reality Net of the Future, and they get dive-bombed by spam messages and have to take cover? That's no kind of net that I want to have, or to have to deal with, and I don't think it should be up to the customer or the ISP to pay to read crap.
Uh, that's all.I'd give a lot for mod points to give you right now.
My sympathies go out to his family and friends.
But I agree: doing something just to see how to do it is important. Sometimes you need to reinvent the wheel just so you can see how someone ever came across the whole idea of "round" in the first place.
It's all well and good to say don't reinvent the wheel, or read the howtos, but how do you get to learn about not only how to do something but all the pitfalls in doing so other than by doing the thing yourself and by screwing up in the process?
It's not me...you really are that drunk, right? I don't want to be gratuitously insulting, but not a lot of what you say makes sense. If I'm missing something, please explain it to me.
Excellent point. However -- and this is a broader point than merely this article -- I wanted to learn how to do this sort of thing. There's a constant urging in Unix circles not to reinvent the wheel -- yet how do you ever learn to do something other than by trying to reinvent the wheel?