From owner-freebsd-isp  Mon Oct 15 14:36:20 2001
Delivered-To: freebsd-isp@freebsd.org
Received: from digitaldaemon.com (digitaldaemon.com [63.105.9.34])
	by hub.freebsd.org (Postfix) with SMTP id 51BAD37B401
	for <FreeBSD-ISP@FreeBSD.ORG>; Mon, 15 Oct 2001 14:35:58 -0700 (PDT)
Received: (qmail 31970 invoked from network); 15 Oct 2001 21:34:34 -0000
Received: from unknown (HELO digitaldaemon.com) (192.168.0.73)
  by digitaldaemon.com with SMTP; 15 Oct 2001 21:34:34 -0000
Message-ID: <3BCB560C.6040107@digitaldaemon.com>
Date: Mon, 15 Oct 2001 17:33:00 -0400
From: Jan Knepper <jan@digitaldaemon.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.2) Gecko/20010726 Netscape6/6.1
X-Accept-Language: en-us
MIME-Version: 1.0
To: Leif Neland <leifn@neland.dk>
Cc: FreeBSD ISP <FreeBSD-ISP@FreeBSD.ORG>
Subject: Re: script for reporting IIS worms???
References: <3BCB15A2.1070504@digitaldaemon.com> <006d01c155be$740c60c0$6d05a8c0@neland.dk>
Content-Type: multipart/alternative;
 boundary="------------030003010800060304080200"
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-isp.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-isp>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-isp>
X-Loop: FreeBSD.org


--------------030003010800060304080200
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Leif Neland wrote:

>>Hi,
>>
>>Has anyone by any chance written some kind of a script to report IIS
>>worms from Apache log files???
>>
>If you just want an email: run this from cron:
>
>awk '/default.ida/ || /cmd.exe/ {print $1, substr($4,2,14)}'
>$access_log|sort -u
>
Well, I was actually looking for something that can scan the httpd log 
files and do a reverse lookup of the client IP's and notify in an 
intelligent way...
So far I have something created in an hour or two that reports the 
client IP's and (if possible) does a reverse lookup (from httpd-access.log).
This creates now the list below. However it would be very cute if it 
could report automaticly to those responsable....

Jan

12.34.72.140
216.116.103.202 202-103-116-216.pajo.com
63.100.142.154
63.124.240.6 host61-06.prestige.net
63.167.204.52
63.168.79.6
63.192.129.6
63.194.22.101 adsl-63-194-22-101.dsl.lsan03.pacbell.net
63.199.186.227 massai2000.com
63.200.154.61 adsl-63-200-154-61.dsl.snfc21.pacbell.net
63.201.244.166 adsl-63-201-244-166.dsl.snfc21.pacbell.net
63.204.228.196 adsl-63-204-228-196.dsl.lsan03.pacbell.net
63.206.114.189 adsl-63-206-114-189.dsl.snfc21.pacbell.net
63.206.91.127 adsl-63-206-91-127.dsl.snfc21.pacbell.net
63.216.100.12 63-216-100-12.sdsl.cais.net
63.217.69.2 63-217-69-2.sdsl.cais.net
63.217.94.74 63-217-94-74.sdsl.cais.net
63.220.127.82
63.220.25.190
63.221.88.19
63.222.71.170
63.228.81.1 dnvrdslgw13poolb1.dnvr.uswest.net
63.228.81.44 dnvrdslgw13poolb44.dnvr.uswest.net
63.237.80.194
63.241.151.29
63.27.31.185 1Cust185.tnt2.st-petersburg.fl.da.uu.net
63.68.142.76
63.72.98.200
63.73.63.59 dialin2-59.ilnk.com
63.79.81.127 um2.elogic.com
63.85.226.100
63.86.173.5
63.97.205.33

>http://www.treachery.net/~jdyson/earlybird/ sends messages to the
>netblockowner according to a whois-lookup.
>
Cute! But I am not sure if I want to change the apache configuration for 
all the virtual domains I run...

>http://www.threenorth.com/LaBrea/ creates tarpits which creates
>virtual machines on unused ip's and tries to hold on to anything which
>accesses those ip's as long as possible while using minimal bandwidth.
>
Don't know it I want to do that either...

Jan


--------------030003010800060304080200
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<html>
<head>
</head>
<body>
Leif Neland wrote:<br>
<blockquote type="cite" cite="mid:006d01c155be$740c60c0$6d05a8c0@neland.dk">
  <blockquote type="cite">
    <pre wrap="">Hi,<br><br>Has anyone by any chance written some kind of a script to report IIS<br>worms from Apache log files???<br><br></pre>
    </blockquote>
    <pre wrap=""><!---->If you just want an email: run this from cron:<br><br>awk '/default.ida/ || /cmd.exe/ {print $1, substr($4,2,14)}'<br>$access_log|sort -u</pre>
    </blockquote>
Well, I was actually looking for something that can scan the httpd log files
and do a reverse lookup of the client IP's and notify in an intelligent way...<br>
So far I have something created in an hour or two that reports the client
IP's and (if possible) does a reverse lookup (from httpd-access.log).<br>
This creates now the list below. However it would be very cute if it could
report automaticly to those responsable....<br>
    <br>
Jan<br>
    <br>
12.34.72.140<br>
216.116.103.202 202-103-116-216.pajo.com<br>
63.100.142.154<br>
63.124.240.6 host61-06.prestige.net<br>
63.167.204.52<br>
63.168.79.6<br>
63.192.129.6<br>
63.194.22.101 adsl-63-194-22-101.dsl.lsan03.pacbell.net<br>
63.199.186.227 massai2000.com<br>
63.200.154.61 adsl-63-200-154-61.dsl.snfc21.pacbell.net<br>
63.201.244.166 adsl-63-201-244-166.dsl.snfc21.pacbell.net<br>
63.204.228.196 adsl-63-204-228-196.dsl.lsan03.pacbell.net<br>
63.206.114.189 adsl-63-206-114-189.dsl.snfc21.pacbell.net<br>
63.206.91.127 adsl-63-206-91-127.dsl.snfc21.pacbell.net<br>
63.216.100.12 63-216-100-12.sdsl.cais.net<br>
63.217.69.2 63-217-69-2.sdsl.cais.net<br>
63.217.94.74 63-217-94-74.sdsl.cais.net<br>
63.220.127.82<br>
63.220.25.190<br>
63.221.88.19<br>
63.222.71.170<br>
63.228.81.1 dnvrdslgw13poolb1.dnvr.uswest.net<br>
63.228.81.44 dnvrdslgw13poolb44.dnvr.uswest.net<br>
63.237.80.194<br>
63.241.151.29<br>
63.27.31.185 1Cust185.tnt2.st-petersburg.fl.da.uu.net<br>
63.68.142.76<br>
63.72.98.200<br>
63.73.63.59 dialin2-59.ilnk.com<br>
63.79.81.127 um2.elogic.com<br>
63.85.226.100<br>
63.86.173.5<br>
63.97.205.33<br>
    <br>
    <blockquote type="cite" cite="mid:006d01c155be$740c60c0$6d05a8c0@neland.dk">
      <pre wrap=""><a class="moz-txt-link-freetext" href="http://www.treachery.net/~jdyson/earlybird/">http://www.treachery.net/~jdyson/earlybird/</a> sends messages to the<br>netblockowner according to a whois-lookup.</pre>
      </blockquote>
Cute! But I am not sure if I want to change the apache configuration for
all the virtual domains I run...<br>
      <blockquote type="cite" cite="mid:006d01c155be$740c60c0$6d05a8c0@neland.dk">
        <pre wrap=""><a class="moz-txt-link-freetext" href="http://www.threenorth.com/LaBrea/">http://www.threenorth.com/LaBrea/</a> creates tarpits which creates<br>virtual machines on unused ip's and tries to hold on to anything which<br>accesses those ip's as long as possible while using minimal bandwidth.<br></pre>
        </blockquote>
Don't know it I want to do that either...<br>
        <br>
Jan<br>
        <br>
        </body>
        </html>

--------------030003010800060304080200--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message