[Dshield] New To List, Few Questions.

Taps Taps at Iniquity.Org
Wed Aug 8 21:50:16 GMT 2001


Greetings,

I am currently employed by a small company with a T1 connection through
the internet.  We are using an Ascend (Now Lucent) Pipeline 130 Router.
There is a firewall behind it, but only a few ports are open to get
through to the servers.  95% of the traffic is stopped by the ports
blocked on the router.

I do have the ability to send that information to a syslog port
somewhere, and I am currently using Kiwi's SyslogD for Windows to
monitor that router.

After watching the route for a few minutes, I am making a guess that I
am blocking between 5 and 6 requests a second to random IP addresses on
port 80.  None of these are published anywhere as valid HTTP servers.
Noticing that they are all comign from the same ip addresses in a row, I
am led to believe that they are Code Red infected computers searching
for more victims.  When opening the Ips in a browser, I am seeing that
they are all coming from IIS servers.

What I am wondering is if there is a client for Dshield.Org that will
interpret the syslogd logs to use.  I am not able to write a client to
do so.  Is anyone else in a similar situation?


* Taps 
* Taps at Iniquity.Org 
* Http://Www.Iniquity.Org <http://www.iniquity.org/>  
* 191618 
*"What spirit is so empty and blind, that it cannot recognize the fact
that the foot is more noble than the shoe, and skin more beautiful than
the garment with which it is clothed?" -- Michaelangelo 





More information about the list mailing list