[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

ARIS worm notification


As you're aware, the ARIS worm is spreading real fast on the
Internet.  My dial-up machine has received nearly 200 ARIS probes from
infected machines since this morning, in about 6 hours of uptime.

SecurityFocus has setup an ARIS notification address.  They will
notify the administrators of infected systems given the IP's of these
systems, which will help curb the spread of the virus.

This is a request to please cull your HTTP logs (if you're running
HTTPD) and send the appropriate information to SecurityFocus.  The
command to do this is:

fgrep ".ida?XXXXX" /var/log/httpd/access_log | \
      cut -d" " -f1,4,5 | \
      sed -e 's/[][]//g' | \
      Mail -s "ARIS Infection Report from httpd access_log" aris-report@xxxxxxxxxxxxxxxxx

[Line may have wrapped]

This would work on a RH 6.2 system.  Please use the appropriate path
to your Apache logfile for other systems.


-- Raju
Raju Mathur          raju@xxxxxxxxxxxxx           http://kandalaya.org/