Attached is a php web page that displays the number of hits from various Nimda attacks and the number of unique IP addresses that have attacked your site. Feel free to use it as you wish. Just keep in mind that it grep's your access log file 16 times, so you might not want to run it continuously. :)

On my RaQ, the log file is /var/log/httpd/access
It may be in a different spot on your system, as such you may have to alter the page's source code.

Change the file's extension from .txt to .php

Sorry... the board wouldn't let me attach the file. Oh well...

<p>Nimda has attacked this server <b><font color="#ff0000"> <?
exec( "cat /etc/httpd/logs/access | grep -c cmd.exe .", $output, $return );
print "$return";
?></front></b></p>



Not sure why you'd want to grep it 16 times.....

I guess if you wanted absolutely everything, you could have another grep to get root.exe, but I don't have that in my logs at all....

I am not sure whereon the site to find it but phpbuilder had an article and a link to scripts for code red in order to process the default.ida and insert the ip into ipchains whilst logging. Could be handy if you can find it. Sorry I forget the link location.

Not sure why you'd want to grep it 16 times.....

The page gives more info than the single datapoint that you had the code excerpt you posted.

let me try attaching once again, this time as a zip file...

This one includes the root.exe and displays number of different Ip's.

--------------------------------------------------------------------------------
<?php

echo("<p><font color='red'><b>Nimda</b></font> has tried to attack <font
color='red'><b>");
echo `grep -cE "cmd.exe|root.exe" /var/log/httpd/access`;
echo("</b></font> times from <font color='red'><b>");
echo `grep -E "cmd.exe|root.exe" /var/log/httpd/access | cut -d " " -f2 | sort $
echo("</b></font>different IP addresses");
$date = date("m-d-y H:i");
echo(" Accurate at $date");
?>
--------------------------------------------------------------------------------

Originally posted by texasweb
This one includes the root.exe and displays number of different Ip's.

--------------------------------------------------------------------------------
<?php

echo("<p><font color='red'><b>Nimda</b></font> has tried to attack <font
color='red'><b>");
echo `grep -cE "cmd.exe|root.exe" /var/log/httpd/access`;
echo("</b></font> times from <font color='red'><b>");
echo `grep -E "cmd.exe|root.exe" /var/log/httpd/access | cut -d " " -f2 | sort $
echo("</b></font>different IP addresses");
$date = date("m-d-y H:i");
echo(" Accurate at $date");
?>
--------------------------------------------------------------------------------


texasweb,

I tried to use the script, but it produced an error on line 11.

Any idea?

part of the line got chopped off.
echo `grep -E "cmd.exe|root.exe" /var/log/httpd/access | cut -d " " -f2 | sort | uniq | wc -l`;


script should look like this:
<?php
echo("<p><font color='red'><b>Code Red</b></font> has tried to attack
<font color='red'><b>");
echo `grep -cE "default.ida" /var/log/httpd/access`;
echo("</b></font> times.");
$date = date("m-d-y H:i");
echo(" Accurate at $date");

echo("<p><font color='red'><b>Nimda</b></font> has tried to attack <font
color='red'><b>");
echo `grep -cE "cmd.exe|root.exe" /var/log/httpd/access`;
echo("</b></font> times from <font color='red'><b>");
echo `grep -E "cmd.exe|root.exe" /var/log/httpd/access | cut -d " " -f2 | sort | uniq | wc -l`;
echo("</b></font>different IP addresses");
$date = date("m-d-y H:i");
echo(" Accurate at $date");
?>

I am not shure why you would put this additional load onto your server. Of course it's not high if you get 50 visits a day but what if you have a 1000 or even more?

Additional load? What to check this every once in awhile to see what is happening. Get real.

Originally posted by microsol
I am not shure why you would put this additional load onto your server. Of course it's not high if you get 50 visits a day but what if you have a 1000 or even more?

I am planning to use it once in a awhile.