Hi, I was wondering how to count up the number of times this new virus has hit my website...

/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir

This is the old code:

<?php
echo("Code red has tried to attack <font color='red'><b>");
echo `cat /usr/local/apache/logs/access_log | grep -c default.ida`;
echo("</b></font> times.");
$date = date("m-d-y H:i");
echo("&nbsp&nbspAccurate at $date");
?>


I was wondering how to modify it to count those three (and probably more since there's a lot of variences) and display it on the website... any help is appreciated! ^_^

Kiwi

Here you go:

<?php
echo("Code red has tried to attack <font color='red'><b>");
echo `cat /usr/local/apache/logs/access_log | grep -c default.ida`;
echo("</b></font> times.");
$date = date("m-d-y H:i");
echo(" Accurate at $date");

echo("<p>What's its name has tried to attack <font color='red'><b>");
echo `cat /usr/local/apache/logs/access_log | grep -c cmd.exe`;
echo("</b></font> times.");
$date = date("m-d-y H:i");
echo(" Accurate at $date");
?>


I don't know what this exploit/worm/whatever is called so substitute "What's its name" for whatever its called :stickout:

Here are my results:

Code red has tried to attack 394 times. Accurate at 09-19-01 04:02
What's its name has tried to attack 4031 times. Accurate at 09-19-01 04:02

How are people being affected by it - it is quite a ferocious little bugger.

very nasty strain

Code red has tried to attack 7830 times. as at 09-19-01 18:00
Code Red II has tried to attack 16822 times. as at 09-19-01 18:00

I hate it :-(

Code red has tried to attack 29028 times. Accurate at 09-19-01 09:48
W32.Nimda.A has tried to attack 39780 times. Accurate at 09-19-01 09:48


btw. It also checks for root.exe
203.231.115.211 - - [19/Sep/2001:10:42:42 -0400] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 -
203.231.115.211 - - [19/Sep/2001:10:42:43 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 -
203.231.115.211 - - [19/Sep/2001:10:42:43 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
203.231.115.211 - - [19/Sep/2001:10:42:44 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
203.231.115.211 - - [19/Sep/2001:10:42:45 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
203.231.115.211 - - [19/Sep/2001:10:42:45 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
203.231.115.211 - - [19/Sep/2001:10:42:46 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
203.231.115.211 - - [19/Sep/2001:10:42:47 -0400] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
203.231.115.211 - - [19/Sep/2001:10:42:47 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
203.231.115.211 - - [19/Sep/2001:10:42:48 -0400] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
203.231.115.211 - - [19/Sep/2001:10:42:49 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
203.231.115.211 - - [19/Sep/2001:10:42:50 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
203.231.115.211 - - [19/Sep/2001:10:42:50 -0400] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 -
203.231.115.211 - - [19/Sep/2001:10:42:51 -0400] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 -
203.231.115.211 - - [19/Sep/2001:10:42:52 -0400] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
203.231.115.211 - - [19/Sep/2001:10:42:52 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -


As you can see it looks for 16 different vulnerablities...

ok - how do you use grep to match this OR that, or would this be sufficient?

cat /usr/local/apache/logs/access_log | grep -c exe

The 'cat' part is an unnecessary step, as grep will read files itself.

For an or match, try:

grep -cE "this|that" /path/to/access.log

Replacing "this" and "that" with the terms you wish to match.

Best advice I can give beyond this:

man grep

From one box:

#more httpd-error.log |grep -c exe
33432

From another:

# more error_log |grep -c exe
143138

The first one only takes into account 1 of the 33 IPs on the box. The second takes into account all 33 IPs of the second box. These are also only cmd.exe and root.exe hits, no default.ida's are being counted. :)

Thanks for helping me! ^_^ Every few seconds, the counter goes up about 10 or 20... O_O

Code Red has tried to attack 454 times. Accurate at 09-19-01 15:48

New Virus cmd.exe has tried to attack 288014 times. Accurate at 09-19-01 15:48

New Virus cmd.exe (With all variants) has tried to attack 367308 times. Accurate at 09-19-01 15:48

The new virus is a lot worse... O_O

I would like to use a cgi-bin program to dynamically print the number of attacks on a web page. I am unfamiliar with php. How would I convert it to a .cgi or.pl file?

Since code red has gotten boring, I stopped grepping my logs (why do I still laugh every time I say that out loud?). I checked today, and am amazed that there are STILL that many unpatched MS machines out there...

I've noticed that each time it hits, it sends about 9 or 10 requests. Apparently this thing has a list of known IIS problems and just tries them all... but that makes for 10x the number of requests over Code Red.

Oddly enough I'm still receiving 600 or so Code Red requests, and 5000 to 6000 now from the new one... I've updated the error page they get to a blank HTML page just to keep the impact as low as possible (it's getting 403 and 404 errors)...

How do you stop it from hitting the server?

Someone I know made a script for it.

www.75megs.com/count.txt

just change to .cgi and chmod it. Also change the location of the logs in the source

www.75megs.com/cgi-bin/count.cgi give it a min to load
84,000 attacks and counting

elsif ($_ =~ /.*default.ida.*/) {

change that line, edit the
.*default.ida.*

to a part showin in another attack and it works the same way.

Does anyone know how to block these hits?

yea sure... get all the windows servers patched :D

actually there's not much you can. of course if certain block of ips keeps hitting you repeatedly you could always blacklist them at the local router level but for the most part i'm not aware of anything you can do...

try this code for all 3 viruses

<?php
echo("<font face=\"Verdana,Arial,Helvetica,sans-serif\" size=\"1\">");
echo("Code red has tried to attack <font color='red'><b>");
echo `cat /usr/local/apache/logs/access_log | grep -c default.ida`;
echo("</b></font> times.");
$date = date("m-d-y H:i");

echo("<br>Nimda has tried to attack (cmd.exe) <font color='red'><b>");
echo `cat /usr/local/apache/logs/access_log | grep -c cmd.exe`;
echo("</b></font> times.");

echo("<br>Nimda has tried to attack (root.exe) <font color='red'><b>");
echo `cat /usr/local/apache/logs/access_log | grep -c root.exe`;
echo("</b></font> times.");
echo("<br>As at $date</p></font>");

?>

Originally posted by eva2000
try this code for all 3 viruses

<?php
echo("<font face=\"Verdana,Arial,Helvetica,sans-serif\" size=\"1\">");
echo("Code red has tried to attack <font color='red'><b>");
echo `cat /usr/local/apache/logs/access_log | grep -c default.ida`;
echo("</b></font> times.");
$date = date("m-d-y H:i");

echo("<br>Nimda has tried to attack (cmd.exe) <font color='red'><b>");
echo `cat /usr/local/apache/logs/access_log | grep -c cmd.exe`;
echo("</b></font> times.");

echo("<br>Nimda has tried to attack (root.exe) <font color='red'><b>");
echo `cat /usr/local/apache/logs/access_log | grep -c root.exe`;
echo("</b></font> times.");
echo("<br>As at $date</p></font>");

?>


I ran the above command, and I got this.
<I just replace the account name with domain.com>

Code red has tried to attack cat /usr/local/plesk/apache/vhosts/domain.com/logs/access_log | grep -c default.ida times.
Nimda has tried to attack (cmd.exe) cat /usr/local/plesk/apache/vhosts/domain.com/logs/access_log | grep -c cmd.exe times.
Nimda has tried to attack (root.exe) cat /usr/local/plesk/apache/vhosts/domain.com/logs/access_log | grep -c root.exe times.
As at 10-04-01 00:29

Am I being attacked by Nimda & Red Code?
I'm on RH 7.1.

Asia,
This is not a command you run. This is a script you save as virus.php or whatever you want and stick it on your website.

You need to change the location of your logs and when called from a browser it will print your number of times attacked.

Again this is not a command but rather a script.

Actually it looks like you have mixed up backticks (`) with quotes or single quotes.

Backticks cause the command to be executed. This line:

echo `cat /usr/local/apache/logs/access_log | grep -c root.exe`;

causes everything inside the `backticks` to be executed, and echos the result to the browser.

It sounds like you used single quotes (') instead, causing it to echo the command itself.

Hope this helps.

Originally posted by phpjames
Asia,
This is not a command you run. This is a script you save as virus.php or whatever you want and stick it on your website.

You need to change the location of your logs and when called from a browser it will print your number of times attacked.

Again this is not a command but rather a script.


I didn't mean to say command.
I saved it as .php and uploaded it into the account.

I had to replace " ' " (single quote) to " " " (double quote) for it to work.

Like `cat /usr/local/apache/logs/access_log | grep -c default.ida`;
to "cat /usr/local/apache/logs/access_log | grep -c default.ida";