Check the Apache logs for Nimda worm attacks

Sep 18, '01 11:30:03PM

Contributed by: victory

I realize that readers might be getting tired of the pipe-related tricks, but here's a quick one that may be of use to anyone running a webserver from OSX. As you realize, the Net is in for yet another round of annoyance with the introduction of the nimda worm. Like its CodeRed predecessors, it primarily targets Microsoft IIS servers, not Apache which is installed by default with OSX. While Apache is immune to this PARTICULAR attack**, it is still affected by the fact that an infected Windows system will launch hundreds of attempts to find other vulnerable systems, thereby creating a denial-of-service situation across the Internet.

Anyhow, if you do serve HTTP from your OSX box, here's a quick way to check if a nimda-infected system has contacted yours:

grep -i "_vti_bin" /var/log/httpd/access_log* | cut -f 1 -d ' ' | sort | uniq
to show all the unique IPs of infected systems. Or you could add:
| wc -l
to the end of the above command to just see the total number of different attempts made.

** A gentle reminder that choosing the Mac as our platform doesn't inherently make us more secure from net attacks and exploits -- it's just the fact that more people are using Windows at this time, so that's where most of the blackhats turn their attention towards.

Comments (13)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20010918233003581