Re: code red

From: Peter Phaal (Peter_Phaal@inmon.com)
Date: 08/06/01

Next message: BURDEN,KEN (HP-Vancouver,ex1): "RE: code red"

Previous message: Neil McKee: "code red"
Maybe in reply to: Neil McKee: "code red"
Next in thread: BURDEN,KEN (HP-Vancouver,ex1): "RE: code red"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

Here is an improved script for detecting the Code Red worm and the newer
variant. Instead of just matching for a sequence of N's the new patterns are
"/default.ida?NNNN" for the old version and "/default.ida?XXXX" for the new
version.

sflowtool -p 8888 | awk --source '
/srcIP/ { sourceAddress = $2; }
/64-65-66-61-75-6C-74-2E-69-64-61-3F-4E-4E-4E-4E/ { print sourceAddress " old"; }
/64-65-66-61-75-6C-74-2E-69-64-61-3F-58-58-58-58/ { print sourceAddress " new"; }'

----------------------
Peter Phaal
InMon Corp.

Peter_Phaal@inmon.com

Next message: BURDEN,KEN (HP-Vancouver,ex1): "RE: code red"
Previous message: Neil McKee: "code red"
Maybe in reply to: Neil McKee: "code red"
Next in thread: BURDEN,KEN (HP-Vancouver,ex1): "RE: code red"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : 08/06/01 EDT