Subject: Re: follow-up to httpd question
From: Mike Tibor (tibor@lib.uaa.alaska.edu)
Date: Wed Jan 16 2002 - 14:59:14 AKST
On Wed, 16 Jan 2002, Justin Dieters wrote:
>
> As a follow up, I looked at my logs again, I have tons of those blocks in
> the log every day. doing ''cat access_log | grep winnt > access_log_winnt''
> shows that approximately 75% of the lines in my log have "winnt" in them..
> and they are not all from the same ip, but probably better than half are
> from 24.237.X.X. I think some of the others are ACS DSL ip's, iirc...
Yep, those are either nimda, code red or a variant. There was lots of
discussion on this when those worms first hit. You might do some searches
on the archive:
http://www.lib.uaa.alaska.edu/aklug/
Jim Courtney had one solution that I liked quite a bit:
http://www.lib.uaa.alaska.edu/aklug/archive/2001-12/0344.html
Mike
-- Mike Tibor Univ. of Alaska Anchorage (907) 786-1001 voice Network Technician Consortium Library (907) 786-6050 fax tibor@lib.uaa.alaska.edu http://www.lib.uaa.alaska.edu/~tibor/ http://www.lib.uaa.alaska.edu/~tibor/pgpkey for PGP public key
This archive was generated by hypermail 2a23 : Wed Jan 16 2002 - 14:59:16 AKST