Hello,
at:
http://seven.alameda.net/~ulf/nimda/
I put a page to search for infected IPs. This is the first version.
Currently I put IPs into it which probed me before about 2pm PDT.
I got email from 2 people who sent me their IPs, which I am going
to add when they ok it.
You can right now search by SQL for IPs like: 64.81.%
This will display all IPs which probed me starting
with 64.81.
Things I am adding in the next minutes is so that people
can submit them self single IPs or bulk list.
Please list probe time also. Dynamic IPs can only be traced to the actual infected user with a time stamp.
Rubens Kuhl Jr.
Yes! ...and accurate (ntpsynch'd) times, too, please. I just got a nimda
warning from secmbox3+nimda@UU.NET for a dynamic IP with a GMT/UTC
timestamp that doesn't correspond to any connections, but is close enough
to one that I *think* I know which user it is.
I'm also concerned about auto-blackholing/blocking dynamic IPs...
Script now includes a way to add IPs. If you do not want to list
your email address, send me the list and I will add it with an
anon tag but keep a copy who sent it to me.
Please list probe time also. Dynamic IPs can only be traced to the actual
infected user with a time stamp.
Valid point. Hmmm, let me rearchitect this a bit to be able to track
that.
That is a handy feature however, you should also see your local users
scanning your own ip block as well. So a simple check of your web server log
directly will isolate the infected user complete with time stamps. The
following utility will do it for you if you want to check for just your
local ip blocks you would use:
#!/usr/bin/perl
open (HTFILE, "/path/to/your/logs/access_log");
until (eof (HTFILE))
{
$line =<HTFILE>;
chop ($line);
if ($line =~ /.*\/winnt\/system32\/.*/) {
if ($line =~ /.*yourdomain.com.*/) {
print "$line\n";
}
}
}
Version 3 online now.
You can enter into the text area an IP per line or if you want to
submit the logdate from your webserver logs, then you can enter
IP,date. Example:
10.10.10.10
or
10.10.10.10,18/Sep/2001:17:50:41 -0700
I also removed my entries and readded the ones by grabbing for
grep -i /msadc/
This will add hosts several times, but as someone pointed out,
a dynamic IP can change and it could be a different host each
time.
I am going to add in a moment my log entries from my @Home
segment.
How frustrating this has all been. Concentric/XO, in their infinite wisdom,
has chosen to block port 80 requests. This means that anyone who is a
customer cannot get to your site. I suppose I should be grateful I can send
and receive email, but somehow I don't appreciate paying for access, when I
can't even check information via a search engine.
I would have liked to add IP addresses to your list, but instead am limited
to this offering. I have created a (large) file of the IP addresses that
have been hitting my small network on port 80. Most of these addresses will
be from 206.111.x.x, since that is where my network lies. Some are not.
If there is anyone out there from XO, I'd like to understand where I should
have sent this information, since sending it to abuse@concentric.net (last
Sun, 02 Sep 2001), didn't seem to make much difference (although I did get
a nice canned message). I especially hate the machine on the other end of
206.111.223.194, since it is close to 25% of my network traffic.
The file is currently at http://www.deaddrop.org/raw.hits and contains a
lot of duplicates. I've given them a fake ending IP, and associated the
host name, for my own purposes later (I find it interesting that the little
laptop running obsd and portsentry gets hit harder than any of the other
machines, for example). If your machine is in that list, take it off the
net, and wipe the disk. Enough.
If you are concentric/XO, explain to me why you blocked port 80 (and are
still blocking, even though you claim not to be), instead of responding to
valid complaints of code red infected machines from myself and others. It's
going to be a long day (week, month, year, whatever).