[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Apache to rewrite or not ..

> On Mon, 31 Mar 2003 15:40, Fred Smith wrote:
>> it is most likely a worm (nimda, code red, or one of their variants)
>> and not an actual person. if you're feeling ambitious, you could log
>> these hits and report them to the ISP they came from, so the ISP can
>> contact the owner of the machine and inform them that they are
>> infected with a
>
> That's a bad idea.
>
> If every Apache server was setup in such a fashion then the postmaster
> address  for every major ISP would become unusable, and therefore
> postmaster addresses  would become unusable.
>
> If someone setup a central clearing-house for such things then it might
> work.   What you would need is for your server to notify a central
> server of the worm  infection.  Once 10 or more machines from different
> AS's had reported an IP  address as being infected with a worm then it
> would be reported to the ISP  along with any other IP addresses in the
> same ISP's space.  That way there  would be few false alarms, and the
> real reports would tend to have several IP  addresses reported at the
> same time.

What about writing some sort of log analysis tool that can speak to
dsheild.org?  They do log correlation and ISP notification and other noble
things. They might already have an apache log tool, but I don't know for
sure.
Sincerely,
Kirk Ismay
System Administrator
Reply to: