Sorry for the further posts, but you sparked my interest.
Here is another simple script to run that will grab the ip address and try
to do a reverse lookup.
If you have nslookup installed on your computer, you can run this also.
(need to actually create a file for this script and then set it to
executable and run it).
#!/bin/bash
ip_attacks=`cat /usr/local/apache/logs/access_log | grep default.ida | awk
'{print $1}'`
for ip in $ip_attacks
do
nslookup $ip
done
This will grab the ip address and attempt to reverse look them up for their
domain name.
Crude, but I only had about 5 minutes to spend on it.
Adam Lang
Systems Engineer
Rutgers Casualty Insurance Company
http://www.rutgersinsurance.com
----- Original Message -----
From: "Peter H. Lemieux" <phl@C...>
To: <SERVER-LINUX@L...>
Sent: Wednesday, August 01, 2001 3:48 PM
Subject: PHP autoresponder for Code Red worm
> FWIW, I've written a PHP script that analyzes web logs and sends a warning
> notice to any address that appears to have sent the Code Red worm attack.
> You'll see long entries in access_log that start with
> GET /default.ida?NNNN....
> I've gotten a couple dozen today.
>
> If you're interested, it's at:
> http://www.cyways.com/~phl/code_red_responder.php.txt
> (The .txt extension is to keep my copy of Apache from trying to run the
> script when you download it! You'll probably want to drop the .txt from
> your copy.) You'll need to edit a couple of configuration items at the top
> of the script, like what you want the From: address and message text to
> be.
>
> I run scripts like this with the "cgi-bin" version of PHP, though you
> could put it into a web-accessible directory, then access it with a
> browser and let apache's php module run it. Since I've written a number
> of scripts in PHP that run from the command line, I've compiled a separate
> binary of PHP for this purpose. Just don't include any --with-apache or
> --with-apxs options to ./configure, then run "make", and you'll get the
> binary. It's called just "php" and is usually a couple of megabytes in
> size. Put the binary in your path somewhere like /usr/local/bin, then run
>
> php -q /path/to/code_red_responder.php > code_red_log &
>
> Each of the warning emails is written directly to sendmail with options
> set to queue up the messages. This improves performance greatly when
> sending dozens of messages since the script doesn't need to wait for each
> sendmail process to complete before going on to the next. Just make sure
> you're also running the sendmail daemon with the -q option set (e.g.,
> -q15m) so it will mail out the contents of the queue. (If, like me, you
> aren't running sendmail as a daemon, you'll need to execute the command
> "sendmail -q" periodically from cron.) You'll need to be root, or some
> other trusted sendmail user like uucp, to run this script since it uses
> sendmail's -f option to set the From address.
>
> If anyone want to improve on this, or port it to Perl, be my guest!
>
>
> Peter
View Cart
