Home page logo

nanog logo nanog mailing list archives

Re: Online DB of IPs for Nimda worm infected machines
From: "Bill Larson" <blarson () compu net>
Date: Tue, 18 Sep 2001 19:21:26 -0500

That is a handy feature however, you should also see your local users
scanning your own ip block as well. So a simple check of your web server log
directly will isolate the infected user complete with time stamps. The
following utility will do it for you if you want to check for just your
local ip blocks you would use:

open (HTFILE, "/path/to/your/logs/access_log");
until (eof (HTFILE))
$line  =<HTFILE>;
        chop ($line);
  if ($line =~ /.*\/winnt\/system32\/.*/) {
    if ($line =~ /.*yourdomain.com.*/) {
      print "$line\n";

Bill Larson
Network Administrator
Compu-Net Enterprises

----- Original Message -----
From: "Ulf Zimmermann" <ulf () Alameda net>
To: "Rubens Kuhl Jr." <rkuhljr () uol com br>
Cc: <ulf () Alameda net>; <nanog () nanog org>
Sent: Tuesday, September 18, 2001 7:06 PM
Subject: Re: Online DB of IPs for Nimda worm infected machines

On Tue, Sep 18, 2001 at 07:44:44PM -0300, Rubens Kuhl Jr. wrote:

Please list probe time also. Dynamic IPs can only be traced to the
infected user with a time stamp.

Valid point. Hmmm, let me rearchitect this a bit to be able to track

Rubens Kuhl Jr.


I put a page to search for infected IPs. This is the first version.
Currently I put IPs into it which probed me before about 2pm PDT.
I got email from 2 people who sent me their IPs, which I am going
to add when they ok it.

You can right now search by SQL for IPs like: 64.81.%
This will display all IPs which probed me starting
with 64.81.

Things I am adding in the next minutes is so that people
can submit them self single IPs or bulk list.

Regards, Ulf.

Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-865-0204

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]