Date: Mon, 15 Oct 2001 17:33:00 -0400 From: Jan Knepper <jan@digitaldaemon.com> To: Leif Neland <leifn@neland.dk> Cc: FreeBSD ISP <FreeBSD-ISP@FreeBSD.ORG> Subject: Re: script for reporting IIS worms??? Message-ID: <3BCB560C.6040107@digitaldaemon.com> References: <3BCB15A2.1070504@digitaldaemon.com> <006d01c155be$740c60c0$6d05a8c0@neland.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
--------------030003010800060304080200
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Leif Neland wrote:
>>Hi,
>>
>>Has anyone by any chance written some kind of a script to report IIS
>>worms from Apache log files???
>>
>If you just want an email: run this from cron:
>
>awk '/default.ida/ || /cmd.exe/ {print $1, substr($4,2,14)}'
>$access_log|sort -u
>
Well, I was actually looking for something that can scan the httpd log
files and do a reverse lookup of the client IP's and notify in an
intelligent way...
So far I have something created in an hour or two that reports the
client IP's and (if possible) does a reverse lookup (from httpd-access.log).
This creates now the list below. However it would be very cute if it
could report automaticly to those responsable....
Jan
12.34.72.140
216.116.103.202 202-103-116-216.pajo.com
63.100.142.154
63.124.240.6 host61-06.prestige.net
63.167.204.52
63.168.79.6
63.192.129.6
63.194.22.101 adsl-63-194-22-101.dsl.lsan03.pacbell.net
63.199.186.227 massai2000.com
63.200.154.61 adsl-63-200-154-61.dsl.snfc21.pacbell.net
63.201.244.166 adsl-63-201-244-166.dsl.snfc21.pacbell.net
63.204.228.196 adsl-63-204-228-196.dsl.lsan03.pacbell.net
63.206.114.189 adsl-63-206-114-189.dsl.snfc21.pacbell.net
63.206.91.127 adsl-63-206-91-127.dsl.snfc21.pacbell.net
63.216.100.12 63-216-100-12.sdsl.cais.net
63.217.69.2 63-217-69-2.sdsl.cais.net
63.217.94.74 63-217-94-74.sdsl.cais.net
63.220.127.82
63.220.25.190
63.221.88.19
63.222.71.170
63.228.81.1 dnvrdslgw13poolb1.dnvr.uswest.net
63.228.81.44 dnvrdslgw13poolb44.dnvr.uswest.net
63.237.80.194
63.241.151.29
63.27.31.185 1Cust185.tnt2.st-petersburg.fl.da.uu.net
63.68.142.76
63.72.98.200
63.73.63.59 dialin2-59.ilnk.com
63.79.81.127 um2.elogic.com
63.85.226.100
63.86.173.5
63.97.205.33
>http://www.treachery.net/~jdyson/earlybird/ sends messages to the
>netblockowner according to a whois-lookup.
>
Cute! But I am not sure if I want to change the apache configuration for
all the virtual domains I run...
>http://www.threenorth.com/LaBrea/ creates tarpits which creates
>virtual machines on unused ip's and tries to hold on to anything which
>accesses those ip's as long as possible while using minimal bandwidth.
>
Don't know it I want to do that either...
Jan
--------------030003010800060304080200
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<html>
<head>
</head>
<body>
Leif Neland wrote:<br>
<blockquote type="cite" cite="mid:006d01c155be$740c60c0$6d05a8c0@neland.dk">
<blockquote type="cite">
<pre wrap="">Hi,<br><br>Has anyone by any chance written some kind of a script to report IIS<br>worms from Apache log files???<br><br></pre>
</blockquote>
<pre wrap=""><!---->If you just want an email: run this from cron:<br><br>awk '/default.ida/ || /cmd.exe/ {print $1, substr($4,2,14)}'<br>$access_log|sort -u</pre>
</blockquote>
Well, I was actually looking for something that can scan the httpd log files
and do a reverse lookup of the client IP's and notify in an intelligent way...<br>
So far I have something created in an hour or two that reports the client
IP's and (if possible) does a reverse lookup (from httpd-access.log).<br>
This creates now the list below. However it would be very cute if it could
report automaticly to those responsable....<br>
<br>
Jan<br>
<br>
12.34.72.140<br>
216.116.103.202 202-103-116-216.pajo.com<br>
63.100.142.154<br>
63.124.240.6 host61-06.prestige.net<br>
63.167.204.52<br>
63.168.79.6<br>
63.192.129.6<br>
63.194.22.101 adsl-63-194-22-101.dsl.lsan03.pacbell.net<br>
63.199.186.227 massai2000.com<br>
63.200.154.61 adsl-63-200-154-61.dsl.snfc21.pacbell.net<br>
63.201.244.166 adsl-63-201-244-166.dsl.snfc21.pacbell.net<br>
63.204.228.196 adsl-63-204-228-196.dsl.lsan03.pacbell.net<br>
63.206.114.189 adsl-63-206-114-189.dsl.snfc21.pacbell.net<br>
63.206.91.127 adsl-63-206-91-127.dsl.snfc21.pacbell.net<br>
63.216.100.12 63-216-100-12.sdsl.cais.net<br>
63.217.69.2 63-217-69-2.sdsl.cais.net<br>
63.217.94.74 63-217-94-74.sdsl.cais.net<br>
63.220.127.82<br>
63.220.25.190<br>
63.221.88.19<br>
63.222.71.170<br>
63.228.81.1 dnvrdslgw13poolb1.dnvr.uswest.net<br>
63.228.81.44 dnvrdslgw13poolb44.dnvr.uswest.net<br>
63.237.80.194<br>
63.241.151.29<br>
63.27.31.185 1Cust185.tnt2.st-petersburg.fl.da.uu.net<br>
63.68.142.76<br>
63.72.98.200<br>
63.73.63.59 dialin2-59.ilnk.com<br>
63.79.81.127 um2.elogic.com<br>
63.85.226.100<br>
63.86.173.5<br>
63.97.205.33<br>
<br>
<blockquote type="cite" cite="mid:006d01c155be$740c60c0$6d05a8c0@neland.dk">
<pre wrap=""><a class="moz-txt-link-freetext" href="http://www.treachery.net/~jdyson/earlybird/">http://www.treachery.net/~jdyson/earlybird/</a>; sends messages to the<br>netblockowner according to a whois-lookup.</pre>
</blockquote>
Cute! But I am not sure if I want to change the apache configuration for
all the virtual domains I run...<br>
<blockquote type="cite" cite="mid:006d01c155be$740c60c0$6d05a8c0@neland.dk">
<pre wrap=""><a class="moz-txt-link-freetext" href="http://www.threenorth.com/LaBrea/">http://www.threenorth.com/LaBrea/</a>; creates tarpits which creates<br>virtual machines on unused ip's and tries to hold on to anything which<br>accesses those ip's as long as possible while using minimal bandwidth.<br></pre>
</blockquote>
Don't know it I want to do that either...<br>
<br>
Jan<br>
<br>
</body>
</html>
--------------030003010800060304080200--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BCB560C.6040107>