ajt has asked for the wisdom of the Perl Monks concerning the following question:
As I run Apache not IIS on my dev (NT) box, it was the only server running during the morning long attack, the IT team had shut down or isolated all the NT servers. I was therefore the only person able to give them a list of known infected machines, by simply tailing my access logs - which proved more efficient that simply waiting for people to complain that their machine was sick.
This morning I'm writing a simple "honey pot" script to log any future Nimda or Code Red like activity. I've done all ths simple Apache stuff, so it triggers a PerlRun script on my NT box, logs the IP and such, but I was wondering what else I can do?
I'll add an email action to, but during the attack yesterday on of the first things to be switched off was the Exchange/SMTP servers, so email isn't going to do much...
Unlike the typical example I've seen before, (Apache::CodeRed), I know where all the machines are (on our intranet) and I know who to contact, but there may be no point in emailing as the server may be down, and our IT team may be too busy to respond anyway.
Basically I think I need two responses:
- A first alert when something happens - possibly an email.
- Logging of actvity, during an attack.
Anything else? Is a desktop alert worth trying?
Ironically I only use IE/outlook because I have to, in fact I've spent the last week arguing why Unix/Apache/Perl is better than NT/IIS/VB for the web project I'm working on - but that's another story...
As ever, very humble thanks in advance.
|
---|
Replies are listed 'Best First'. | |
---|---|
Re: Virus Honey Pot
by Corion (Patriarch) on Nov 06, 2001 at 17:12 UTC | |
Re: Virus Honey Pot
by Biker (Priest) on Nov 06, 2001 at 18:47 UTC | |
by dws (Chancellor) on Nov 07, 2001 at 05:03 UTC | |
Re: Virus Honey Pot
by scottstef (Curate) on Nov 06, 2001 at 19:44 UTC | |
Re: Virus Honey Pot
by rchiav (Deacon) on Nov 06, 2001 at 20:05 UTC |