Printable View
Was looking over our firewall logs today, and on a whim I decided to filter them for cmd.exe and get a rough idea how widespread code red / nimda still are...
We are still seeing 500 plus hits a day with cmd.exe to our webservers from 15 to 20 unique ip addresses.
Only a few of those addresses show up on multiple days...
thought someone might find this interesting.
IchNiSan
You should run a tarpit or honeynet. It actually reduces the bandwidth caused by worm infestations by up to 80%. It's actually really simple to set up and administer. You can also set it up a web page and post your "guests" there. I like that part.
Well most days I see mstream master and tcp overlap besides all the rest. Actually some moron is running qmail .....
:o
KorpDeath is right...
I don't know if this was already posted once...
http://www.hackbusters.net/ is the homepage of Labrea (tarpit)
see their logs for yourself... http://www.hackbusters.net/cgi-bin/guests_pt1
and their viplist http://www.hackbusters.net/cgi-bin/guests_pt2
the program they offer runs on *nix and winnt...
Just to add the the_JinX's comments. It's the best tarpit program I've tested. I could only find two other products and they aren't worth mentioning.Quote:
Originally posted by the_JinX
KorpDeath is right...
I don't know if this was already posted once...
http://www.hackbusters.net/ is the homepage of Labrea (tarpit)
see their logs for yourself... http://www.hackbusters.net/cgi-bin/guests_pt1
and their viplist http://www.hackbusters.net/cgi-bin/guests_pt2
the program they offer runs on *nix and winnt...
It's gret for the enterprise to run a tarpit because it also identifies mis-configured services when it tarpits the connection. we found some mis-configured Vital Agents the first hour we ran the 'crapper' (the name of the tarpit box).
So now we just tell people they are in the crapper if they get tarpitted..
I'll have to try that tarpit out.
I saw it a while back, and actually checked it out on their site, but I just didnt have a chance to do anything about it.
thanks,
Ich
IchNiSan, did you check any of the ips out to see if they were web sites, or just the result of iis being turned on by default on win2k computers?