On macOS, the installation of Node-RED is identical to Linux (or Raspian). You must precede the npm command of a sudo. The -g means that the sources will be uploaded to the npm directory and will be available for all node.js. –unsafe-perm allows to continue the installation in the event of an error. Sudo npm install -g -unsafe-perm node-red. Prior to its release, Mac OS X 10.0 was code named 'Cheetah' internally at Apple, and Mac OS X 10.1 was code named internally as 'Puma'. After the immense buzz surrounding Mac OS X 10.2, codenamed 'Jaguar', Apple's product marketing began openly using the code names to promote the operating system.
| Click here to return to the 'Code Red and OS X firewalls' hint |
Yes Lucas, I know it's not a threat to my system. I said so in my original post, but it can't help to let people know not to worry. The reason I'm trying to do this is because I'm sick of my Apache logs getting bloated. I'm going to try installing snort with flexresp and see if I can just kill it by content filtering. There's a lot of variants out now and there's the eeye test as well. I'm averaging 8 per hour if I set my server up on a new static ip that's never had a server on it. The new version is worse because it only looks outside of your address range 12.5% of the time and it's only going to increase. What are you averaging?
-j
Bloated? If 8 entried/hour 'bloats' your apache logs, why are you running apache at all, it seems like absolutely nobody is using it. Twisted loop mac os. In the 7,829 lines of my log, 20 of those are 404s from Code Red and 79 are 404s in general. And this is my home computer/developer computer, not my main server.
Another way to look at it is that one line of error from one Code Red attempt is less than 450 bytes. My hard drive is 30 Gigabytes. 450 bytes divided by 30 Gigabytes is just about Zero. Even 20 time 450 bytes is Zero. And since logs are generally used as data for statistics making programs, all you have to do is find the percentage of 404s that are from Code Red (in my case it is 20/79 which is about 25%) and keep that in mind while looking at the general statistics.
-Lucas
http://www.rufy.com/
Pinstripe (itch) mac os. Woops, those where old logs, here are the numbers since April 4th:
18,800 lines in my access_log (1.9MB)
592 lines of 404 errors total
45 lines of 404 errors due to Code Red
Summary:
Code Red takes:
About 8% of 404 errors
About 0.2% of all lines of my access_log
About 20 kbytes of my hard disk space
About 0% of my hard disk space
Any questions?
-Lucas
http://www.rufy.com/
Code Red Mac Os 11
Does the IP address at the beginning of these log entries indicate the IP address of the infected machine? If so then I could potentially contact some of the ones that are showing up that have a local IP address (local to work). I.e. not ingore these, but respond to them.
Code Red Mac Os Catalina
I see lots of those XXXXXXXXXXXX. entries, but also some with N... For example:
66.89.136.70 - - [08/Aug/2001:09:58:02 -0400] 'GET /default.ida?NNNNN.[snip].
NNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3
%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00
%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0' 400 326
What does that indicate if anything?
The XXXXXXX entries are of a newer strain of the worm, which apart from using a large number of X's to force the buffer overflow in IIS (instead of N's) doesn't seem different.
As for warning infected parties about their infections: there are so many that it becomes a bit of a chore very soon.
I thought about writing a quick PHP script that parses the IP adres of the server making the request, and then sending a mail message warning of their infection to abuse@the_offending_ip_address but still haven't found the time yet.
It would be trivial to write such a simple script, name it default.ida (the file the Code Red worm tries to access on your server), put it in the server root, and change /etc/httpd/httpd.conf so that '.ida' files will be recognized as PHP files (to make sure the script actually gets executed).
I contacted one of the people and sure enough they had Code Red. Turns out that they were unaware that they were even running IIS.
Anyway, I figure I can automate this via an AppleScript. Our network ops have a web page where you can find out the owner of a particular local IP address, including email address. So, I could use Web Miner to do the query and get the result, then tell Mail to send an email to them. It's too bad the nifty OS X application 'File Monitor' does not let you trigger an action, either AppleScript or a shell script, when it spots particular types of entries. Is there any thing that would do this for Unix? I can run AppleScript from a shell script, so that would work too.
OK, checked mine too. M$ !!!! and hackers, thanks.
I know this is really lame and should be looking for this on my own but would somebody please kindly point me in the right direction on how to 'trim' my acess and error logs.
I would really appreciate it.
Also, since I'm requesting help has anybody made an email responder script to notify the infected host?
Ok . here something I found for a php solution wonder if it'll work????
http://www.hotscripts.com/Detailed/11415.html
First of all, that PHP script is not necessary, way too much of an overkill actually since CODE RED DOES NOT AFFECT MACINTOSH. Second of all, you couldn't get it running on Mac OS X because you need IP Tables which is a Linux firewall tool, not BSD!
-Lucas
Code Red Mac Os Catalina
Thanks for saving the trouble. Last night before going to bed I was wondering about that. IP Tables that is.
Although Code Red doesn't necessarily affect my computer it has in another sense. I've noticed hard drive creep. Slowly and steadly the access_log is filling up which takes up space.
Thanks for your reply. I probably would've played with the script and found out the hard.
Red Mac Laptop
One line of error code from one Code Red attempt is less than 450 bytes. My hard drive is 30 Gigabytes. 450 bytes divided by 30 Gigabytes is just about Zero. Even 100 time 450 bytes (about 44k) when in perspective of a 30Gb, or even 12Gb) is Zero. If you don't think you can spare an extra 44k of disk space, I think it is time for you to get a new computer.
-Lucas
http://www.rufy.com/
Ok, so it's not that then. Thanks.
How about this then. I open access_log up with pico and it complains that file has long lines and there are now 65571 lines total in my log.
Sure, my question might be outrageous for those more experienced than I am and I probably should open files with a different type of editor that allows scrolling versus control-V or control-Y to page down or up. I should even get myself a book to study more about my system, this I all agree with. I'm not even really complaing that I'm missing some drive space. I just mentioned drive creep and how I can cut down on my log and save space. I should have also mentioned that I would like to reduce the 'length' of my log. sorry.
So, let me re-ask my question. How can I cut down my log's 'length'?
I prefer using pico since it's a little more unix than let's say textedit would be and therefore reminds me that I'm editing files that are part of the system.
Revenge of the marshmallows mac os.
To cut down on the space it takes, (which is completely minimal, therefore giving you a trivial amount of hard disk space) just delete the log.
-Lucas
Here are numbers from my home/development computer since April 4th:
18,800 lines in my access_log (1.9MB)
592 lines of 404 errors total
45 lines of 404 errors due to Code Red
Summary:
Code Red alone takes:
About 8% of 404 errors
About 0.2% of all lines of my access_log
About 24 kbytes of my hard disk space
About 0% of my hard disk space
Less than 0% of my worries
Any questions?
-Lucas
http://www.rufy.com/
Wow! 1.9 meg file.
May I ask, why keep it so long?
What editor do you use to view it?
Thanks for the information.
Actually, it is interesting to see such stats. I'm not being sarcastic or anything just that being a 'regular' mac user for years and having no real unix/bsd experience this type of information does provide insights into the system I'm using.
Thanks.
I keep it so long because I like the statistics, the bigger the log, the better acuracy of the statistics. I use Analog (freeware) to process the log files:
http://www.summary.net/soft/analog.html
-Lucas
http://www.rufy.com/
thanks cardmagic. I appreciate it.
Sounds like a good idea just to have that script running to check my box every once in a while.
'We need your Code Red logs'
in terminal.app
go to the /private/var/log/httpd; sudo and
grep 'default.ida' access_log | mail -s 'APACHE' redalert@dshield.org
go to
http://www.dshield.org/codered.html' <=' a='>
for more details and info
if I knew more about the backdoor that the worm opens, I would write a script to shutdown each of the offending servers.
also on the subject of viruses
this one is a bit irritating
'New virus travels in PDF files'
http://news.cnet.com/news
if I knew more about the backdoor that the worm opens, I would write a script to shutdown each of the offending servers.
Heh. I was just mentioning an idea to my co-worker a couple of days ago that we can get a similar vius to infect and apply security patches to servers susceptable to Code Red, then go and infect oher servers. He thought we could call it Code White, then asked whether the end justifies the means.
In this case, I thought so. :)
Later,
Louie
If you only have that many codered attempts then you're lucky. I'm definately in a codered II hotspot since it looks for close IP numbers now. I changed my ip to a private one that never had a domain name or webserver on it and within 8 hours I had 53 attacks. I verified this by running the snort filter set, logging the results to mysql, and checking them with snortreport.
So:SetEnvIf Request_URI '^/default.ida' IDAREQ
CustomLog '/private/var/log/httpd/access_log' common env=!IDAREQ
Vanishing act slot. You could escape the other regexp characters in the regular string, but I'm not putting anything named default.ida on my machine.
If you only have that many codered attempts then you're lucky. I'm definately in a codered II hotspot since it looks for close IP numbers now. I changed my ip to a private one that never had a domain name or webserver on it and within 8 hours I had 53 attacks. I verified this by running the snort filter set, logging the results to mysql, and checking them with snortreport.
So:Code Red Mac Os 8
SetEnvIf Request_URI '^/default.ida' IDAREQ
CustomLog '/private/var/log/httpd/access_log' common env=!IDAREQ
Relic rescue mac os. You could escape the other regexp characters in the regular string, but I'm not putting anything named default.ida on my machine.
-j