[Dshield] IIS Logs

Forum Admin admin at forum.hottubnap.com
Fri Mar 29 06:56:44 GMT 2002


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	Well, I've been running a perl "StrikeBack" script on my Apache
server for a little over a month. Although I've yet to see it shut
down an infected machine, it DOES trigger a firewall rule rather
nicely whenever Perl.exe accesses the internet in response to a code
red or nimda probe. I'm working on a way to have it post a console
message to the infected computer, which would remain on the victim's
screen until they hit OK. Been sending them manually so far, and in
only one case has it failed to get the user's attention. Haven't had
but one repeat scan.


- -----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org]On Behalf
Of
Jim Tagart
Sent: Thursday, March 28, 2002 8:44 PM
To: 'list at dshield.org'
Subject: RE: [Dshield] IIS Logs


	Jeff>Mine fills up rapidly with all the code red/nimda scans.  It
seems like it
would make sense to send in everything with a 404 and a cmd.exe
footprint.

Howdy Jeff,

My little parser tool is currently looking for these not nice things
to
request...

/winnt|cmd.exe|default.ida|worm.com|root.exe|ctleq.asp|msadc|owssrv.dl
l|shtm
l.exe|formmail/ 


It does generate some false positives if someone inside searches
Google say
for instance 'winnt' but it's pretty rare to lookup the above list,
unless
it's me.

I run Apache so those above requests are definetly not friendly.

I am 'almost' ready to send raptag beta testers, all 15 counting
myself, the
version of raptag.pl that can read in Snort .rules files for
reporting bad
things.  http://www.tagartengineering.com/raptag.html  Why not use a
top-notch IDS's signatures to help analyze firewall logs.  

Every angle helps.

http://www.snort.org 
Snort is great.

Jim

> -----Original Message-----
> From:	Jeff Miller [SMTP:jrm.wa at verizon.net]
> Sent:	Thursday, March 28, 2002 7:20 PM
> To:	list at dshield.org
> Subject:	[Dshield] IIS Logs
> 
> Is anybody sending in IIS logs?
> 
> Mine fills up rapidly with all the code red/nimda scans.  It seems
> like it would make sense to send in everything with a 404 and a
> cmd.exe footprint.  
> 
> Or am I smoking crack <again>?
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPKQQKpkmeTuuwg2cEQKHOwCbBQg3P/C9arLOn6iLdMUjCl1gjrEAoIxN
psMKtCjIHNXDmdyKmt/+zZxE
=l3bQ
-----END PGP SIGNATURE-----





More information about the list mailing list