Date: Tue, 16 Oct 2001 18:03:03 +0200 From: "Leif Neland" <leifn@neland.dk> To: "Jan Knepper" <jan@digitaldaemon.com> Cc: "FreeBSD ISP" <FreeBSD-ISP@FreeBSD.ORG> Subject: Re: script for reporting IIS worms??? Message-ID: <001e01c1565c$0a71e1a0$6d05a8c0@neland.dk> References: <3BCB15A2.1070504@digitaldaemon.com> <006d01c155be$740c60c0$6d05a8c0@neland.dk> <3BCB560C.6040107@digitaldaemon.com>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message -----
From: "Jan Knepper" <jan@digitaldaemon.com>
To: "Leif Neland" <leifn@neland.dk>
Cc: "FreeBSD ISP" <FreeBSD-ISP@FreeBSD.ORG>
Sent: Monday, October 15, 2001 11:33 PM
Subject: Re: script for reporting IIS worms???
> Leif Neland wrote:
>
> >>Hi,
> >>
> >>Has anyone by any chance written some kind of a script to report
IIS
> >>worms from Apache log files???
> >>
> >If you just want an email: run this from cron:
> >
> >awk '/default.ida/ || /cmd.exe/ {print $1, substr($4,2,14)}'
> >$access_log|sort -u
> >
> Well, I was actually looking for something that can scan the httpd
log
> files and do a reverse lookup of the client IP's and notify in an
> intelligent way...
> So far I have something created in an hour or two that reports the
> client IP's and (if possible) does a reverse lookup (from
httpd-access.log).
> This creates now the list below. However it would be very cute if it
> could report automaticly to those responsable....
>
> Jan
>
> 12.34.72.140
> 216.116.103.202 202-103-116-216.pajo.com
> 63.100.142.154
> 63.124.240.6 host61-06.prestige.net
You could take the code from earlybird and send the messages as
batch-processing instead of real-time.
> >http://www.treachery.net/~jdyson/earlybird/ sends messages to the
> >netblockowner according to a whois-lookup.
> >
> Cute! But I am not sure if I want to change the apache configuration
for
> all the virtual domains I run...
>
You don't have to do that.
This takes care of all virtual domains; is only listed once.
The aliases works for all virtual domains.
AddHandler cgi-script .ida
Alias /default.ida /home/htdocs/default.ida
ScriptAliasMatch ^/MSADC/root\.exe(.*) /home/htdocs/default.ida$1
ScriptAliasMatch ^/scripts/root\.exe(.*) /home/htdocs/default.ida$1
ScriptAliasMatch ^/[cd]/winnt/system32/cmd\.exe(.*)
/home/htdocs/default.ida$1
ScriptAliasMatch ^/_mem_bin(/\.\..*) /home/htdocs/default.ida$1
ScriptAliasMatch ^/_vti_bin(/\.\..*) /home/htdocs/default.ida$1
ScriptAliasMatch ^/msadc(/\.\..*) /home/htdocs/default.ida$1
ScriptAliasMatch ^/scripts(/\.\..*) /home/htdocs/default.ida$1
> >http://www.threenorth.com/LaBrea/ creates tarpits which creates
> >virtual machines on unused ip's and tries to hold on to anything
which
> >accesses those ip's as long as possible while using minimal
bandwidth.
> >
> Don't know it I want to do that either...
Wouldn't hurt your network performance.
>
> Jan
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001e01c1565c$0a71e1a0$6d05a8c0>