Date: Thu, 27 Sep 2001 19:13:01 -0700 From: "Kory Hamzeh" <kory@avatar.com> To: "The Psychotic Viper" <psyv@sec-it.net>, "Edwin Groothuis" <edwin@mavetju.org> Cc: <freebsd-questions@FreeBSD.ORG> Subject: RE: Apache server log Message-ID: <004901c147c3$196f3d80$14ce21c7@avatar.com> In-Reply-To: <20010928032932.H5555-100000@lucifer.fuzion.ath.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
I briefly looked at those script and it looks it does NOT send an e-mail for each scan attempt, but rather one for each IP address per day. I don't think that that is unreasonable. All of our web servers have been effected by nimda to the point that we had to use filters to block out access to them. All of this because a certain company doesn't know how to write software that isn't secure -- instead we get Virus De Jour. > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of The Psychotic > Viper > Sent: Thursday, September 27, 2001 6:54 PM > To: Edwin Groothuis > Cc: freebsd-questions@FreeBSD.ORG > Subject: Re: Apache server log > > > Hi, > > On Fri, 28 Sep 2001, Edwin Groothuis wrote: > > > On Thu, Sep 27, 2001 at 02:21:48PM -0400, Louis LeBlanc wrote: > > > On 09/27/01 11:30 AM, Marius Kirschner sat at the `puter and typed: > > > > Yep, that's Nimda, alright. Nothing you have to worry > about if you run > > > > a unix system. > > > > > > Correct. However, there's no reason you can't do something about it. > > > You've heard of Apache::CodeRed? Well, it's a mod_perl handler. It > > > handles the requests for default.ida by looking up the requesting IP > > > and sending a warning to the web admin and abuse authorities as well > > > as securityfocus.com. > > > > I've created a Code Red & Nimda spammer, which does the same (sending > > messages about it to the webadmin, abuse, postmaster and the > > information coming from DNS and whois) but it isn't real-time. > > > > See http://www.mavetju.org/networking/tools.phtml for it. > I agree that notifying admins of things like this could help but an > automated tool can lead to a DoS of sorts in some circumstances, consider > the rate of infection/scans and then weigh it up against the actually rate > of a successful notification and it all seems to be not that much of a > profitable exercise. The basic idea been discussed in numerous places > under different guises, such as responding to scan attempts in different > ways like these or firewalling methods. > > A good example is when in my own case I get about150+ scans from Nimda > alone on a dialup connection daily (thats in only a 12hour period as well > on a higher end IP subnet).Now look at your "spammer" and consider that > you would send out at the very least 5 emails for each scan/attempt not to > mention a whois and DNS lookup, that equates to 5*150 (for 12 hours) or > 5*300 (could be even more). This rate can easily be more or less. > > That in the least would cause resources delegated to a task that could > easily be ignored. Also consider that in most cases those emails would be > ignored or not help in the case of ISPs who would be inundated with these > mails and not give it the attention it would deserve. > > Basically all I want to say is that such actions can prove futile and > possibly negative, rather try educating your fellow admins and users as > best you can with that time. :) > > PsyV > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004901c147c3$196f3d80$14ce21c7>