#20 Worms attacks report

closed
Other (220)
7
2012-10-11
2001-09-25
No

In recent weeks, AWStats has shown much "Code Red"-
like activity in its "HTTP Error Codes/404 Not Found"
page.

It would be useful if this kind of activity could be
categorised on a separate page, perhaps with a DNS
lookup of the offending hostnames.

There would probably have to be some configuration
options to allow the format of the requested 'unknown'
page to be recognised as a worm/virus attack rather
than a genuine bad page request, though currently this
shouldn't be too difficult - it's easy to spot the
requests for 'cmd.exe' and 'pages' from
directory 'scripts' or '/d/winnt/system32'.

Discussion

  • tobias wack

    tobias wack - 2001-11-03

    Logged In: YES
    user_id=347428

    i think too that it would be useful to know some server-
    attack information in stats.
    the information about 404 errors not made to inform about
    the attacks, so it is better to make an own category for it.

     
  • Peter Geoffery

    Peter Geoffery - 2002-03-12

    Logged In: YES
    user_id=479929

    A section called security attack would be good and could be
    another addon similiar to the browser.pl in the DB
    directory so we could update it as we go.

     
  • Karl Ove Hufthammer

    Logged In: YES
    user_id=59205

    formmail.pl is another kind of attempted attack which has
    shown up several times in my logfile.

     
  • Nobody/Anonymous

    Logged In: NO

    actually a seperate page for suspected attacks such as the
    one above or the more general probing for an unprotected cgi-
    bin directory etc. would be great.

     
  • Anonymous - 2003-02-12

    Logged In: YES
    user_id=626048

    Also there is another AWStats feature request very much
    related to this: <a
    href="http://sourceforge.net/tracker/index.php?func=detail&ai
    d=653164&group_id=13764&atid=363764">[ 653164 ] Support
    for Microsoft's UrlScan tool</a>

     
  • Joshua Clinard

    Joshua Clinard - 2003-05-15

    Logged In: YES
    user_id=779906

    I would like to have this as well.

     
  • warren crossing

    warren crossing - 2003-09-03

    Logged In: YES
    user_id=328291

    Yeah or a heaps easier way could be to simply ignore them on
    the 404 page and definitley exclude them from being shown in
    the top files catagory.

    I have always wondered why the non 200 OK entiries are
    counted as hits - at all

    i might make a patch to turn this off!

     
  • Kurt Kessel

    Kurt Kessel - 2003-09-29

    Logged In: YES
    user_id=875042

    I agree on a separate page for identifying attacks and
    potential attacks.

    Additional functionality would be to add hits that don't
    grab certain items on a (home) page, like IMG links or
    javascript pages. Seems like all the mechanical attacks (and
    spiders) don't fool with these. Adding a config to identify
    these at a lower priority than spiders would be helpful.

     
  • Laurent Destailleur (Eldy)

    Logged In: YES
    user_id=96898

    The feature/change or bug fix was added in CVS tree.
    Will be available with next release.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks