Date: Mon, 15 Oct 2001 17:33:00 -0400 From: Jan Knepper <jan@digitaldaemon.com> To: Leif Neland <leifn@neland.dk> Cc: FreeBSD ISP <FreeBSD-ISP@FreeBSD.ORG> Subject: Re: script for reporting IIS worms??? Message-ID: <3BCB560C.6040107@digitaldaemon.com> References: <3BCB15A2.1070504@digitaldaemon.com> <006d01c155be$740c60c0$6d05a8c0@neland.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
--------------030003010800060304080200 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Leif Neland wrote: >>Hi, >> >>Has anyone by any chance written some kind of a script to report IIS >>worms from Apache log files??? >> >If you just want an email: run this from cron: > >awk '/default.ida/ || /cmd.exe/ {print $1, substr($4,2,14)}' >$access_log|sort -u > Well, I was actually looking for something that can scan the httpd log files and do a reverse lookup of the client IP's and notify in an intelligent way... So far I have something created in an hour or two that reports the client IP's and (if possible) does a reverse lookup (from httpd-access.log). This creates now the list below. However it would be very cute if it could report automaticly to those responsable.... Jan 12.34.72.140 216.116.103.202 202-103-116-216.pajo.com 63.100.142.154 63.124.240.6 host61-06.prestige.net 63.167.204.52 63.168.79.6 63.192.129.6 63.194.22.101 adsl-63-194-22-101.dsl.lsan03.pacbell.net 63.199.186.227 massai2000.com 63.200.154.61 adsl-63-200-154-61.dsl.snfc21.pacbell.net 63.201.244.166 adsl-63-201-244-166.dsl.snfc21.pacbell.net 63.204.228.196 adsl-63-204-228-196.dsl.lsan03.pacbell.net 63.206.114.189 adsl-63-206-114-189.dsl.snfc21.pacbell.net 63.206.91.127 adsl-63-206-91-127.dsl.snfc21.pacbell.net 63.216.100.12 63-216-100-12.sdsl.cais.net 63.217.69.2 63-217-69-2.sdsl.cais.net 63.217.94.74 63-217-94-74.sdsl.cais.net 63.220.127.82 63.220.25.190 63.221.88.19 63.222.71.170 63.228.81.1 dnvrdslgw13poolb1.dnvr.uswest.net 63.228.81.44 dnvrdslgw13poolb44.dnvr.uswest.net 63.237.80.194 63.241.151.29 63.27.31.185 1Cust185.tnt2.st-petersburg.fl.da.uu.net 63.68.142.76 63.72.98.200 63.73.63.59 dialin2-59.ilnk.com 63.79.81.127 um2.elogic.com 63.85.226.100 63.86.173.5 63.97.205.33 >http://www.treachery.net/~jdyson/earlybird/ sends messages to the >netblockowner according to a whois-lookup. > Cute! But I am not sure if I want to change the apache configuration for all the virtual domains I run... >http://www.threenorth.com/LaBrea/ creates tarpits which creates >virtual machines on unused ip's and tries to hold on to anything which >accesses those ip's as long as possible while using minimal bandwidth. > Don't know it I want to do that either... Jan --------------030003010800060304080200 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit <html> <head> </head> <body> Leif Neland wrote:<br> <blockquote type="cite" cite="mid:006d01c155be$740c60c0$6d05a8c0@neland.dk"> <blockquote type="cite"> <pre wrap="">Hi,<br><br>Has anyone by any chance written some kind of a script to report IIS<br>worms from Apache log files???<br><br></pre> </blockquote> <pre wrap=""><!---->If you just want an email: run this from cron:<br><br>awk '/default.ida/ || /cmd.exe/ {print $1, substr($4,2,14)}'<br>$access_log|sort -u</pre> </blockquote> Well, I was actually looking for something that can scan the httpd log files and do a reverse lookup of the client IP's and notify in an intelligent way...<br> So far I have something created in an hour or two that reports the client IP's and (if possible) does a reverse lookup (from httpd-access.log).<br> This creates now the list below. However it would be very cute if it could report automaticly to those responsable....<br> <br> Jan<br> <br> 12.34.72.140<br> 216.116.103.202 202-103-116-216.pajo.com<br> 63.100.142.154<br> 63.124.240.6 host61-06.prestige.net<br> 63.167.204.52<br> 63.168.79.6<br> 63.192.129.6<br> 63.194.22.101 adsl-63-194-22-101.dsl.lsan03.pacbell.net<br> 63.199.186.227 massai2000.com<br> 63.200.154.61 adsl-63-200-154-61.dsl.snfc21.pacbell.net<br> 63.201.244.166 adsl-63-201-244-166.dsl.snfc21.pacbell.net<br> 63.204.228.196 adsl-63-204-228-196.dsl.lsan03.pacbell.net<br> 63.206.114.189 adsl-63-206-114-189.dsl.snfc21.pacbell.net<br> 63.206.91.127 adsl-63-206-91-127.dsl.snfc21.pacbell.net<br> 63.216.100.12 63-216-100-12.sdsl.cais.net<br> 63.217.69.2 63-217-69-2.sdsl.cais.net<br> 63.217.94.74 63-217-94-74.sdsl.cais.net<br> 63.220.127.82<br> 63.220.25.190<br> 63.221.88.19<br> 63.222.71.170<br> 63.228.81.1 dnvrdslgw13poolb1.dnvr.uswest.net<br> 63.228.81.44 dnvrdslgw13poolb44.dnvr.uswest.net<br> 63.237.80.194<br> 63.241.151.29<br> 63.27.31.185 1Cust185.tnt2.st-petersburg.fl.da.uu.net<br> 63.68.142.76<br> 63.72.98.200<br> 63.73.63.59 dialin2-59.ilnk.com<br> 63.79.81.127 um2.elogic.com<br> 63.85.226.100<br> 63.86.173.5<br> 63.97.205.33<br> <br> <blockquote type="cite" cite="mid:006d01c155be$740c60c0$6d05a8c0@neland.dk"> <pre wrap=""><a class="moz-txt-link-freetext" href="http://www.treachery.net/~jdyson/earlybird/">http://www.treachery.net/~jdyson/earlybird/</a> sends messages to the<br>netblockowner according to a whois-lookup.</pre> </blockquote> Cute! But I am not sure if I want to change the apache configuration for all the virtual domains I run...<br> <blockquote type="cite" cite="mid:006d01c155be$740c60c0$6d05a8c0@neland.dk"> <pre wrap=""><a class="moz-txt-link-freetext" href="http://www.threenorth.com/LaBrea/">http://www.threenorth.com/LaBrea/</a> creates tarpits which creates<br>virtual machines on unused ip's and tries to hold on to anything which<br>accesses those ip's as long as possible while using minimal bandwidth.<br></pre> </blockquote> Don't know it I want to do that either...<br> <br> Jan<br> <br> </body> </html> --------------030003010800060304080200-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BCB560C.6040107>