Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Total count of hits?' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Total count of hits?
Authored by: Anonymous on Sep 22, '01 03:10:18AM
I was poking around on my access_log, and I noticed that "_vti_bin" was not the only crud that Nimda requests from your machine. I saw stuff containing "default.ida", "cmd.exe" and "root.exe" so I modified the mentioned script to (hopefully) show every single hit that Nimda had on your machine. Here it is:
egrep -i "(_vti_bin|default.ida|cmd.exe|root.exe)" /var/log/httpd/access_log* | cut -f 1 -d ' ' | sort | wc -l
Let me know if this is showing a correct number, or is totally whacked. On my machine which is running 10 about 3 to 4 hours a day, it's had 3459 hits from Nimda. -THX

[ Reply to This | # ]
Ooops!
Authored by: Anonymous on Sep 22, '01 03:28:49AM
Whoops, I messed up part of this, but I don't think it affects the final count much much. All the lines that contain "_vti_bin" also contain "cmd.exe", so I'll leave "_vti_bin" out of this, however the count is still the same. I also talked to a friend, who says this will also show the amount of Code Red hits also, because they exploit some of the same vulnerabilities. Here's the new command:
egrep -i "(default.ida|cmd.exe|root.exe)" /var/log/httpd/access_log* | cut -f 1 -d ' ' | sort | wc -l
-THX

[ Reply to This | # ]
Total count of hits?
Authored by: Darkshadow on Sep 22, '01 07:53:53AM
I wrote a CGI perl script that will tell you the addresses, number of hits, number of unique hits, and total number of requests from the Nimda worm. It's based on the grep code from here. Just drop it into your CGI-Executables directory and access it to look at the hits. Note that this works with your access_log, so if you filtered out the hits, it won't tell you the correct number. You can grab the script here: newworm.pl

[ Reply to This | # ]