These are Nimba and Code Red scan. You are ok but to count and ban all IPs trying to scan your http header, use the script below:
Pico filename and insert script below the chmod to root and execute, it will print to a file all offending IPs. ---Script Starts HERE--- #!/bin/sh echo "Nimba worm scanner..." echo "Checking for root.exe and cmd.exe entries..." #count individual scans: INDIVIDUAL_SCANS1=`grep -c 'cmd.exe' /var/log/httpd/access | wc -l` INDIVIDUAL_SCANS2=`grep -c 'root.exe' /var/log/httpd/access | wc -l` INDIVIDUAL_SCANS3=`grep -c 'NNNNNNNNNN' /var/log/httpd/access | wc -l` INDIVIDUAL_SCANS4=`grep -c 'XXXXXXXXXX' /var/log/httpd/access | wc -l` #count unique source ips: UNIQUE1=`grep 'cmd.exe' /var/log/httpd/access| cut -d ' ' -f2 | sort -u |wc -l` UNIQUE2=`grep 'root.exe' /var/log/httpd/access| cut -d ' ' -f2 | sort -u | wc -l` UNIQUE3=`grep 'NNNNNNNNNN' /var/log/httpd/access| cut -d ' ' -f2 | sort -u | wc -l` UNIQUE4=`grep 'XXXXXXXXXX' /var/log/httpd/access| cut -d ' ' -f2 | sort -u | wc -l` ecgo "NIMDA Scans:" echo "We have received $INDIVIDUAL_SCANS1 scans for root.exe from $UNIQUE1 different IP addresses" echo "We have received $INDIVIDUAL_SCANS2 scans for cmd.exe from $UNIQUE2 different IP addresses" echo "Code Red Scans:" echo "We have received $INDIVIDUAL_SCANS3 scans for Coded Red \"N\" from $UNIQUE3 different IP addresses" echo "We have received $INDIVIDUAL_SCANS4 scans for Coded Red \"X\" from $UNIQUE4 different IP addresses" ---Script Ends HERE--- Al-Juhani [EMAIL PROTECTED] >===== Original Message From [EMAIL PROTECTED] ===== > >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:redhat-list-admin@;redhat.com] >On Behalf Of Daevid Vincent >Sent: Friday, October 25, 2002 8:15 PM >To: [EMAIL PROTECTED] >Subject: Is this a hack attempt? > > >I run RH8.0 so this sure seems suspicious to me: > >1-0 25065 0/508/508 _ 6.42 128 0 0.0 130.31 130.31 12.237.249.145 >daevid.com GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > >4-0 25068 0/519/519 _ 5.86 139 0 0.0 143.76 143.76 12.237.249.145 >daevid.com GET /MSADC/root.exe?/c+dir HTTP/1.0 >5-0 25069 0/518/518 _ 5.84 142 0 0.0 99.62 99.62 12.237.249.145 >daevid.com GET /scripts/root.exe?/c+dir HTTP/1.0 >6-0 25070 0/531/531 _ 6.44 114 0 0.0 129.48 129.48 12.237.249.145 >daevid.com GET >/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../.. >7-0 25071 0/525/525 _ 6.93 117 0 0.0 139.17 139.17 12.237.249.145 >daevid.com GET >/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd. >8-0 25214 0/503/503 _ 5.83 136 0 0.0 118.91 118.91 12.237.249.145 >daevid.com GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 >9-0 25774 0/271/271 _ 4.87 133 0 0.0 119.94 119.94 12.237.249.145 >daevid.com GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 >10-0 26526 0/457/457 _ 5.36 335 0 0.0 100.78 100.78 12.229.31.145 >daevid.com GET /MSADC/root.exe?/c+dir HTTP/1.0 >14-0 26531 0/334/334 _ 3.51 119 0 0.0 89.96 89.96 12.237.249.145 >daevid.com GET >/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd. > >And so now is there a way I can make a file of IP/domains that are >banned from contacting my server (all ports)? > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
