From owner-freebsd-isp Mon Oct 15 14:15:12 2001 Delivered-To: freebsd-isp@freebsd.org Received: from fepE.post.tele.dk (fepE.post.tele.dk [195.41.46.137]) by hub.freebsd.org (Postfix) with ESMTP id EB6F637B405 for ; Mon, 15 Oct 2001 14:15:08 -0700 (PDT) Received: from arnold.neland.dk ([62.243.124.200]) by fepE.post.tele.dk (InterMail vM.4.01.03.23 201-229-121-123-20010418) with ESMTP id <20011015211507.UADW13021.fepE.post.tele.dk@arnold.neland.dk>; Mon, 15 Oct 2001 23:15:07 +0200 Received: from gina ([192.168.5.109]) by arnold.neland.dk (8.11.6/8.11.6) with SMTP id f9FLFdq54382; Mon, 15 Oct 2001 23:15:39 +0200 (CEST) (envelope-from leifn@neland.dk) Message-ID: <006d01c155be$740c60c0$6d05a8c0@neland.dk> From: "Leif Neland" To: "Jan Knepper" , "FreeBSD ISP" References: <3BCB15A2.1070504@digitaldaemon.com> Subject: Re: script for reporting IIS worms??? Date: Mon, 15 Oct 2001 23:15:01 +0200 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Hi, > > Has anyone by any chance written some kind of a script to report IIS > worms from Apache log files??? > If you just want an email: run this from cron: awk '/default.ida/ || /cmd.exe/ {print $1, substr($4,2,14)}' $access_log|sort -u http://www.treachery.net/~jdyson/earlybird/ sends messages to the netblockowner according to a whois-lookup. http://www.threenorth.com/LaBrea/ creates tarpits which creates virtual machines on unused ip's and tries to hold on to anything which accesses those ip's as long as possible while using minimal bandwidth. Leif To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message