[Dshield] IIS Logs
admin at forum.hottubnap.com
Fri Mar 29 06:56:44 GMT 2002
-----BEGIN PGP SIGNED MESSAGE-----
Well, I've been running a perl "StrikeBack" script on my Apache
server for a little over a month. Although I've yet to see it shut
down an infected machine, it DOES trigger a firewall rule rather
nicely whenever Perl.exe accesses the internet in response to a code
red or nimda probe. I'm working on a way to have it post a console
message to the infected computer, which would remain on the victim's
screen until they hit OK. Been sending them manually so far, and in
only one case has it failed to get the user's attention. Haven't had
but one repeat scan.
- -----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org]On Behalf
Sent: Thursday, March 28, 2002 8:44 PM
To: 'list at dshield.org'
Subject: RE: [Dshield] IIS Logs
Jeff>Mine fills up rapidly with all the code red/nimda scans. It
seems like it
would make sense to send in everything with a 404 and a cmd.exe
My little parser tool is currently looking for these not nice things
It does generate some false positives if someone inside searches
for instance 'winnt' but it's pretty rare to lookup the above list,
I run Apache so those above requests are definetly not friendly.
I am 'almost' ready to send raptag beta testers, all 15 counting
version of raptag.pl that can read in Snort .rules files for
things. http://www.tagartengineering.com/raptag.html Why not use a
top-notch IDS's signatures to help analyze firewall logs.
Every angle helps.
Snort is great.
> -----Original Message-----
> From: Jeff Miller [SMTP:jrm.wa at verizon.net]
> Sent: Thursday, March 28, 2002 7:20 PM
> To: list at dshield.org
> Subject: [Dshield] IIS Logs
> Is anybody sending in IIS logs?
> Mine fills up rapidly with all the code red/nimda scans. It seems
> like it would make sense to send in everything with a 404 and a
> cmd.exe footprint.
> Or am I smoking crack <again>?
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
-----END PGP SIGNATURE-----
More information about the list