Online DB of IPs for Nimda worm infected machines

Wed Sep 19 00:21:26 UTC 2001

That is a handy feature however, you should also see your local users
scanning your own ip block as well. So a simple check of your web server log
directly will isolate the infected user complete with time stamps. The
following utility will do it for you if you want to check for just your
local ip blocks you would use:

#!/usr/bin/perl
open (HTFILE, "/path/to/your/logs/access_log");
until (eof (HTFILE))
{
$line  =<HTFILE>;
        chop ($line);
  if ($line =~ /.*\/winnt\/system32\/.*/) {
    if ($line =~ /.*yourdomain.com.*/) {
      print "$line\n";
    }
  }
}

---
Bill Larson
Network Administrator
Compu-Net Enterprises

----- Original Message -----
From: "Ulf Zimmermann" <ulf at Alameda.net>
To: "Rubens Kuhl Jr." <rkuhljr at uol.com.br>
Cc: <ulf at Alameda.net>; <nanog at nanog.org>
Sent: Tuesday, September 18, 2001 7:06 PM
Subject: Re: Online DB of IPs for Nimda worm infected machines

>
> On Tue, Sep 18, 2001 at 07:44:44PM -0300, Rubens Kuhl Jr. wrote:
> >
> > Please list probe time also. Dynamic IPs can only be traced to the
actual
> > infected user with a time stamp.
>
> Valid point. Hmmm, let me rearchitect this a bit to be able to track
> that.
>
> >
> >
> > Rubens Kuhl Jr.
> >
> >
> > >         http://seven.alameda.net/~ulf/nimda/
> > >
> > >I put a page to search for infected IPs. This is the first version.
> > >Currently I put IPs into it which probed me before about 2pm PDT.
> > >I got email from 2 people who sent me their IPs, which I am going
> > >to add when they ok it.
> > >
> > >You can right now search by SQL for IPs like: 64.81.%
> > >This will display all IPs which probed me starting
> > >with 64.81.
> > >
> > >Things I am adding in the next minutes is so that people
> > >can submit them self single IPs or bulk list.
> >
> >
>
> --
> Regards, Ulf.
>
> ---------------------------------------------------------------------
> Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-865-0204