[CLUE-Tech] 404's

Roger Frank rfrank at rfrank.net
Sat Nov 10 20:29:40 MST 2001 

My web site is giving more 404s (not found) messages that
all other types combined.  Checking the log, these are all
virus attacks trying many varied paths to get to a cmd.exe
file.  (http://www.8x02.com/report.html for the curious).  In the
log, I see that these requests are coming from many different
computers, and their IP address are included.   I've only
been running the log for a few days but what's happening
seems clear.

It seems like there should be some way that I could let them
know that their systems are generating these attempts and
that they are infected.  It may be like rearranging deck chairs
on the Titanic since there are so many machines doing this.
But if my machine were the sender and not the receiver, I
would want to know.

What would you do?  Just erase the log so the disk doesn't 
fill up and move on since it's not a problem for me?  What are
the choices?

-- 
Roger Frank
Ponderosa High School, Parker, Colorado
rfrank at rfrank.net

Received: from copper.americanisp.net (copper.americanisp.net [208.244.174.41])
	by clue.denver.co.us (8.9.3/8.9.3) with SMTP id BAA11738
	for <clue-tech at clue.denver.co.us>; Sun, 11 Nov 2001 01:01:28 -0700
Received: (qmail 32164 invoked from network); 11 Nov 2001 08:26:46 -0000
Received: from unknown (HELO sh01.shell.amisp.net) (216.38.38.12)
  by copper.americanisp.net with SMTP; 11 Nov 2001 08:26:46 -0000
Date: Sun, 11 Nov 2001 01:29:19 -0700 (MST)
From: Brad <brad at americanisp.net>
X-X-Sender:  <brad at sh01>
To: Roger Frank <rfrank at rfrank.net>
cc: clue-tech <clue-tech at clue.denver.co.us>
Subject: Re: [CLUE-Tech] 404's
In-Reply-To: <20011110202940.5d4ab78f.rfrank at rfrank.net>
Message-ID: <Pine.LNX.4.33.0111110115110.17759-100000 at sh01>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: clue-tech-admin at clue.denver.co.us
Errors-To: clue-tech-admin at clue.denver.co.us
X-BeenThere: clue-tech at clue.denver.co.us
X-Mailman-Version: 2.0beta2
Precedence: bulk
Reply-To: clue-tech at clue.denver.co.us
List-Id: CLUE technical discussions, questions and answers. <clue-tech.clue.denver.co.us>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 10 Nov 2001, Roger Frank wrote:

> My web site is giving more 404s (not found) messages that
> all other types combined.  Checking the log, these are all
> virus attacks trying many varied paths to get to a cmd.exe
> file.  (http://www.8x02.com/report.html for the curious).  In the
> log, I see that these requests are coming from many different
> computers, and their IP address are included.   I've only
> been running the log for a few days but what's happening
> seems clear.
>
> It seems like there should be some way that I could let them
> know that their systems are generating these attempts and
> that they are infected.  It may be like rearranging deck chairs
> on the Titanic since there are so many machines doing this.
> But if my machine were the sender and not the receiver, I
> would want to know.
>
> What would you do?  Just erase the log so the disk doesn't
> fill up and move on since it's not a problem for me?  What are
> the choices?
>
> --
> Roger Frank
> Ponderosa High School, Parker, Colorado
> rfrank at rfrank.net

Odds are- you are not the only network which is getting this
code-red-type of traffic, and the operator(s) of the
infected machine(s) are either already aware of the problem,
or have been informed of the problem by various automated
reporting systems around the net.
Many times the infected machine is on a network which uses
dynamically assigned IP address space (such as a dialup
account, etc), and pinpointing the responsible party can be
difficult.  Sure- you could contact their ISP, but most ISPs
do not claim responsibility for content on their customers
equipment (and they shouldnt have to..).

The most effective way I have found to deal with this
problem is described in this Cisco document:
http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml

It details how to set up access-lists and policy maping to
actually deny those specific requests from passing through
the router (this assumes you have a cisco router on your
network), thus keeping your machines from being probed and
your log files for any host on your network from seeing all
of that activity.  Many of our high-speed T1 and T3
customers have implemented this filtering on their networks.

Someone once asked me why the major internet backbones just
dont filter the code-red traffic at their core routers and
solve the entire problem.
Well- two things really.  First is the overhead.  When
dealing with a core network which switches and routes a
million packets per second, applying any filter rules to
that kind of traffic would overload the devices.  Second is
policy.  Most providers do not filter anything, including
code-red, because this would violate service level
agreements and make some people unhappy.

Thanks,
Brad Baker
Director: Network Operations
American ISP
brad at americanisp.net
+1 303 984 5700 x12
http://www.americanisp.net/
PGP KeyID: BEA23F60

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE77jbhpDk9Xr6iP2ARAsQEAJ9A2zATGA+GtY2c6bc1iBZ8+eMSQwCdEjUX
/MANGvu9kU5c/VjIP4tXPXA=
=kaud
-----END PGP SIGNATURE-----

More information about the clue-tech mailing list