Subject: Re: cmd.exe root.exe in apache logs (php script included)
From: Buddha (buddha@gci.net)
Date: Wed Apr 10 2002 - 00:02:41 AKDT
Since people brought this up again...
I found some PHP code a while back that would count the # of CodeRed hits
in your Apache logs to which I added a scan for Nimba hits. This could be
modified to check you firewall logs too I suppose. Doesn't do anything
real useful except count the hits for each and put them on a web page.
Code has the # of hits since last Sunday (since that's when my logs rotate).
BTW: Looks like CodeRed is completely dead as I've received no hits at all
in the last few months. Nimba on the other hand is still going strong in
the GCI block of adresses.
-Jim "Buddha" McMorris
<?
/************************************************
** OpenSource - Code Red Counter
*************************************************
** Created by the http://www.CodeHeadz.net team
*************************************************
/********************************************************************
* Nimba scanner hacked on by Buddha.
* just a simple cut-n-paste of the scan code, changed variable names,
* and changed the unique text (mem_bin) scanned for.
*********************************************************************
*/
$file = "/var/log/httpd/error_log";
$fp = fopen($file, "r");
$contents = fread($fp, filesize($file));
fclose($fp);
$count = preg_match_all('/(default.ida)/', $contents, $match);
$count1 = preg_match_all('/(mem_bin)/', $contents, $match);
?>
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
This archive was generated by hypermail 2a23 : Wed Apr 10 2002 - 00:00:46 AKDT