Network Question
Gerald Combs
gerald at ethereal.com
Mon Aug 6 14:12:51 CDT 2001
Running tcpdump, ethereal or tethereal using the capture filter 'dst port
80' would verify that you were receiving CR attempts without having to
spin up Apache.
BTW, a good tool for tracking intrusion attempts in general is snort:
http://www.snort.org .
On Mon, 6 Aug 2001, root wrote:
> Its more then likely code red I or II. If you wanted to you could start up
> apache and see if you get hits that look like :
>
> cx1140241-c.okcw1.ok.home.com - - [06/Aug/2001:07:45:58 -0500] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc
bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 276
>
> Code red is hurting @home pretty bad.
>
> Andrew Brink.
>
> On Mon, Aug 06, 2001 at 02:01:10AM -0500, Gene Dascher wrote:
> > I have redhat 6.2 on a Gateway 486 dx250 that I am using as my
> > Comcast at home internet gateway/firewall. I have noticed over the last
> > few days that the data light on my modem is blinking very frequently
> > while none of the PCs on my network are surfing the web. I have looked
> > for the obvious signs of a break in on the gateway, but cannot find any,
> > and do not see any odd processes running. I want to know the nature of
> > the "data" that is hitting my machine. What is the best tool for doing
> > this? Would a packet sniffer (like Sniffit) be what I am looking for?
> >
> > Thanks,
> > Gene
> >
> >
>
>
>
More information about the Kclug
mailing list