Nimda/Code Red - IIS Log Viewer Code

From: HaffyHaf (
Date: 06/05/02

From: (HaffyHaf)
Date: 4 Jun 2002 15:13:30 -0700


If you are like us you probably get a bunch of scans from computers
infected with Nimda or Code Red.

Our logs get filled up quickly with these and our normal traffic.

So I wrote some ASP pages that allows me to configure a file to search
for certain unusual characteristics in a URL - such as cmd.exe,
root.exe, scripts, etc.

The program can view all entries in the log or only possible hack
attempts. It displays the IP and a link to WHOIS. It also creates an
email link with a preformatted message.

What I have been doing is looking through my logs, and then looking up
their IP and finding a contact email. I then send an email to them
alerting them they are possibly infected with Nimda or Code Red.

The ASP pages are free at our website if you think this would help you
out. You can find out more information at .

Hope this helps someone out!


Relevant Pages

  • Nimda mostly infects /8-locally.
    ... Subject: Nimda mostly infects /8-locally. ... addresses encountered in the logs): ... This means, in particular, that the probability for Nimda to attack ... a host in the same /8 portion of the IP address space is ...
  • Re: Publishing Nimda Logs
    ... It's Nimda, and an everyday ... > people to post logs there and stuff like that... ... I don't recommend. ... Health - your guide to health and wellness ...
  • RE: Publishing Nimda Logs
    ... When you notified them the second or third time, ... Nimda removal tools and MS patches? ... Subject: Publishing Nimda Logs ...
  • Re: Publishing Nimda Logs
    ... both Abuse and Arin Contacts for any IP that it detects. ... Subject: Publishing Nimda Logs ... Health - your guide to health and wellness ...
  • RE: Publishing Nimda Logs
    ... Subject: Publishing Nimda Logs ... It is truly sad that so many people are still infected with Nimda. ... they are attacking other systems. ... this is a computer company. ...