Topic: Ip's of all those nasty code red infected machines

[Alexie]

Found this small Tips..

If you are interested in finding out the ip addresses of all the infected IIS machines that are trying to infect your machine with Code red then run this little cmd line from within the /var/log/http directory
cat error_log | grep default.ida |cut -f 3 -d ] |cut -c 10-|sort >> ip.txt
 
This will produce a sorted list of ip addresses that are trying to infect you.

[Hsing-Foo]

Maybe the location of the error_log is at:

/var/log/htttpd/error_log

By.

[Alexie]

Ahh, no...)

/var/log/httpd/error_log is better..!!

This system has been attacked this month by the Code Red worm a total of : 193 times.

Out of the above number a total of 142 were from unquie ips.


If this was an unpatached IIS server the above numbers show how may times this system would have been affected.

[David]

Just checking my error.log and it just amazed me as to how many people have loged onto my system attempting to see if I have IIS! Checking my Webalizer logs as well. I've been on average getting 477 hits aday!!!

[Kevin Manderson]

On my main server which is a full C class (not e-smith based) I have been watching code red attempts. Start of last week it had about 6000 attempts, by last thursday it was over 202,000.......

regards
k

[Daniel]

For some reason I am not getting an output with this command.  I am running RH 7.1, does that matter?

Does it have to be an e-smith box?

Thanks...