Ken,
That probably means that it hasn't made it through the HP firewall and so
there are no internal infected machines.
Peter
> -----Original Message-----
> From: owner-traffic-management@inmon.com
> [mailto:owner-traffic-management@inmon.com]On Behalf Of BURDEN,KEN
> (HP-Vancouver,ex1)
> Sent: Monday, August 06, 2001 12:31 PM
> To: 'traffic-management@inmon.com'
> Subject: RE: code red
>
>
> Peter,
>
> Has anyone inside HP seen this script find any systems? I
> have not seen any
> output from this script.
>
> Regards,
>
> Ken
>
> -----Original Message-----
> From: Peter Phaal [mailto:Peter_Phaal@inmon.com]
> Sent: Monday, August 06, 2001 9:54 AM
> To: traffic-management@inmon.com
> Subject: Re: code red
>
>
> Here is an improved script for detecting the Code Red worm
> and the newer
> variant. Instead of just matching for a sequence of N's the
> new patterns are
> "/default.ida?NNNN" for the old version and
> "/default.ida?XXXX" for the new
> version.
>
> sflowtool -p 8888 | awk --source '
> /srcIP/ { sourceAddress = $2; }
> /64-65-66-61-75-6C-74-2E-69-64-61-3F-4E-4E-4E-4E/ { print
> sourceAddress "
> old"; }
> /64-65-66-61-75-6C-74-2E-69-64-61-3F-58-58-58-58/ { print
> sourceAddress "
> new"; }'
>
>
> ----------------------
> Peter Phaal
> InMon Corp.
>
> Peter_Phaal@inmon.com
>
>
This archive was generated by hypermail 2b29 : 08/06/01 EDT