That is a handy feature however, you should also see your local users scanning your own ip block as well. So a simple check of your web server log directly will isolate the infected user complete with time stamps. The following utility will do it for you if you want to check for just your local ip blocks you would use: #!/usr/bin/perl open (HTFILE, "/path/to/your/logs/access_log"); until (eof (HTFILE)) { $line =<HTFILE>; chop ($line); if ($line =~ /.*\/winnt\/system32\/.*/) { if ($line =~ /.*yourdomain.com.*/) { print "$line\n"; } } } --- Bill Larson Network Administrator Compu-Net Enterprises ----- Original Message ----- From: "Ulf Zimmermann" <ulf@Alameda.net> To: "Rubens Kuhl Jr." <rkuhljr@uol.com.br> Cc: <ulf@Alameda.net>; <nanog@nanog.org> Sent: Tuesday, September 18, 2001 7:06 PM Subject: Re: Online DB of IPs for Nimda worm infected machines
On Tue, Sep 18, 2001 at 07:44:44PM -0300, Rubens Kuhl Jr. wrote:
Please list probe time also. Dynamic IPs can only be traced to the
actual
infected user with a time stamp.
Valid point. Hmmm, let me rearchitect this a bit to be able to track that.
Rubens Kuhl Jr.
http://seven.alameda.net/~ulf/nimda/
I put a page to search for infected IPs. This is the first version. Currently I put IPs into it which probed me before about 2pm PDT. I got email from 2 people who sent me their IPs, which I am going to add when they ok it.
You can right now search by SQL for IPs like: 64.81.% This will display all IPs which probed me starting with 64.81.
Things I am adding in the next minutes is so that people can submit them self single IPs or bulk list.
-- Regards, Ulf.
--------------------------------------------------------------------- Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-865-0204