code red

• Previous message: Neil McKee: "Re: Announce: Traffic Server 2.0.21"
• Next in thread: Peter Phaal: "Re: code red"
• Reply: Peter Phaal: "Re: code red"
• Reply: BURDEN,KEN (HP-Vancouver,ex1): "RE: code red"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

Hello All,

Here is a simple way to detect which hosts on your network have been
infected with the CODE RED worm.

1. Use the Server->Forwarding option to forward samples to localhost
port 8888.
2. Run the following script:

sflowtool -p 8888 | awk --source '
/srcIP/ { sourceAddress = $2; }
/4E-4E-4E-4E-4E/ { print sourceAddress; }'

This will print out the IP addresses of infected hosts, by detecting a
signature in the URL that they are using to scan for new "victims".

Notes:
======
        1. This will only work if your monitoring is sFlow or HP-Extended-RMON
based. Cisco-NetFlow monitoring does not include the appropriate
information.

        2. For notes on configuring the forwarding, click on the on-line help
links in that page. For example, to forward everything in your entire
site to the script, just set it to:

        agent: 0.0.0.0/0 address: localhost port: 8888

        3. The sflowtool utility is available at
<http://www.inmon.com/sflowTools.htm>

-- 
---------
Neil McKee mailto:Neil_McKee@InMon.com
InMon Corp.  http://www.InMon.com

• Next message: Peter Phaal: "Re: code red"
• Previous message: Neil McKee: "Re: Announce: Traffic Server 2.0.21"
• Next in thread: Peter Phaal: "Re: code red"
• Reply: Peter Phaal: "Re: code red"
• Reply: BURDEN,KEN (HP-Vancouver,ex1): "RE: code red"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : 08/02/01 EDT