Automated handling of Code Red HTTP requests

Automated handling of Code Red HTTP requests

Post by wolfgan » Sat, 08 Sep 2001 21:58:23



i wrote two bash scripts to handle HTTP requests from CodeRed-infected
machines.

the first one extracts the typical lines from Apache logs and sends the

the second one does whois-lookups at whois.RIPE.net for the IPs of those
machines
and notifies the tech-c email address automatically.

also, various known IP blocks' dedicated abuse email addresses are used
for the notifications.

the second script will only work on european servers in its current form
-
for american IPs and thus for whois.ARIN.lookups they would have to be
modified, since ARIN uses a different whois database format.

so the second script should mostly be of interest if your HTTP server is
located in europe.

http://test.skepcat.com/Coderedcheck.zip

cheers

 
 
 

Automated handling of Code Red HTTP requests

Post by Jeffrey Goldber » Sun, 09 Sep 2001 07:03:48




Quote:> i wrote two bash scripts to handle HTTP requests from CodeRed-infected
> machines. [...] the second one does whois-lookups at whois.RIPE.net
> for the IPs of those machines and notifies the tech-c email address
> automatically. [...] the second script will only work on european
> servers in its current form

Try using bwwhois,  http://whois.bw.org/

It's a perl replacement for whois which is very clever about recursively
following pointers to whois servers.

-j

--
Jeffrey Goldberg
 I have recently moved, see http://www.goldmark.org/jeff/contact.html
 Relativism is the triumph of authority over truth, convention over justice
 From line IS valid, but use reply-to.