> On Mon, 31 Mar 2003 15:40, Fred Smith wrote: >> it is most likely a worm (nimda, code red, or one of their variants) >> and not an actual person. if you're feeling ambitious, you could log >> these hits and report them to the ISP they came from, so the ISP can >> contact the owner of the machine and inform them that they are >> infected with a > > That's a bad idea. > > If every Apache server was setup in such a fashion then the postmaster > address for every major ISP would become unusable, and therefore > postmaster addresses would become unusable. > > If someone setup a central clearing-house for such things then it might > work. What you would need is for your server to notify a central > server of the worm infection. Once 10 or more machines from different > AS's had reported an IP address as being infected with a worm then it > would be reported to the ISP along with any other IP addresses in the > same ISP's space. That way there would be few false alarms, and the > real reports would tend to have several IP addresses reported at the > same time.
What about writing some sort of log analysis tool that can speak to dsheild.org? They do log correlation and ISP notification and other noble things. They might already have an apache log tool, but I don't know for sure. Sincerely, Kirk Ismay System Administrator
