RE: Yet Another Nimda Thread (YANT)

[Jose Nazario <jose () biocserver BIOC cwru edu>]

On Fri, 21 Sep 2001, Andrew Blevins wrote:

> Still getting attempts over here, but only about three to five a
> second, instead of 70. We're on the 209.242 block.

it continues unabated here. the only slowdowns we have been seeing are due
to the filters we're putting in place and the fact that people are
(slowly) cleaning their damned systems up.

for instance, on our local network (129.22/16) we're filtering identified
infected machines at the nearest subnet router. this has dramatically
lowered the total number of hits on servers in any one subnet. for
instance, today by this time (1pm GMT-5) we're down from 33 uniq hosts in
the past three days to 4 so far today, only two of which are local
machines.

here's a small script for apache machines to identify the hosts on your
network which are nimda infected. tailor the "tail -NNNN" to suit your
site's hitrate, and it assumes the default apache logfile format.

#!/bin/sh
#
# run me in your apache logfile directory
# jose nazario jose () cwru edu 21sep01
#
for i in `tail -20000 access_log | grep \.exe | awk '{print $1}' | sort |\
uniq`
do
 TIME=`grep $i access_log | tail -1 | awk '{print $4" "$5}'`
 echo $i"       "$TIME
done


this will spit out answers in this form:

192.168.1.45    [21/Sep/2001:06:39:59 -0400]

hope this helps some of you.

____________________________
jose nazario                                                 jose () cwru edu
                     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com