Security Incidents mailing list archives
code red attacks and real-time blackhole'ng
From: "Florian Piekert" <floppy () floppy org>
Date: Sat, 08 Sep 2001 01:46:56 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hi, some time ago I asked if somebody had any idea how to real-time blackhole ip-adresses to port 80 with ipchains who try to set off the code red virus variants. my idea was as follows: #!/bin/bash tail -f /var/log/messages | grep -i "codered" | grep -iv proxy | awk '{print $11}' | awk -F : '{print $1}'| ipchains -A input -s i `awk '{print $1}'`/255.255.255.255 -d 0/0 80 -i eth1 -j DENY --protocol tcp Several problems now occur (for some of you probably trivialities): 1) the above port 80 blocking makes sense if tcp and udp are blocked or is tcp sufficient? 2) when I do a tail -n 1000 instead of the tail -f it ipchains bitches because he gets 1000 (not that many ofcourse) ip adresses at once but only wants _1_ argument, not a list. 3) when I do a tail -f nothing happens at all, without the ipchains command no output is generated at all even if new entries in /var/log/messages appear, but if I tail -n 1000 /var/log/messages and use the above pipes, I get a neat list of IP addresses... My questions: how can I get 2) to work? and then, how 3)? Any help would be greatly appreciated. Florian Piekert floppy@floppy.{de,org,net} <simply private... need a key? MY PGPP key? eMail me....> Voice & Fax +1001000010100101011000110110001010110101100 PGP Public Key Fingerprint: 72E9 D42A 51E8 29CA EE42 6029 5EF6 E9AB -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies. iQCVAwUBO5lOYX4TBaVbilM9AQFfpQP+MCMWbR7ayUcFVbrAoeIe8asB+Msklv7J wd7u8bu0wyhD7h9ZGug65jJeN+ynB2Yx5F8TWKAA36yJUy5v2cBjScIg0O48KOQV GHWB5Jf+X9vVqjOuid0so0Zb0oVcEFr3cjxQHs7vDo1o2ZsQpiPqK/UpPnERepXr c6NYpQKo3BY= =FQU9 -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Recent Increase in Port 139 Activity John Campbell (Sep 07)
- Re: Recent Increase in Port 139 Activity Harlan S. Barney, Jr. (Sep 07)
- code red attacks and real-time blackhole'ng Florian Piekert (Sep 07)
- Re: code red attacks and real-time blackhole'ng red0x (Sep 08)
- Re: code red attacks and real-time blackhole'ng Sean Hunter (Sep 14)
- Re: Recent Increase in Port 139 Activity maggie (Sep 07)
- code red attacks and real-time blackhole'ng Florian Piekert (Sep 07)
- Re: Recent Increase in Port 139 Activity H C (Sep 09)
- <Possible follow-ups>
- RE: Recent Increase in Port 139 Activity Frank Knobbe (Sep 07)
- RE: Recent Increase in Port 139 Activity John Campbell (Sep 07)
- RE: Recent Increase in Port 139 Activity John Campbell (Sep 10)
- Re: Recent Increase in Port 139 Activity Harlan S. Barney, Jr. (Sep 07)