From owner-freebsd-isp Tue Oct 16 9: 3:23 2001 Delivered-To: freebsd-isp@freebsd.org Received: from fepA.post.tele.dk (fepA.post.tele.dk [195.41.46.143]) by hub.freebsd.org (Postfix) with ESMTP id 87E1F37B408 for ; Tue, 16 Oct 2001 09:03:16 -0700 (PDT) Received: from arnold.neland.dk ([62.243.124.200]) by fepA.post.tele.dk (InterMail vM.4.01.03.23 201-229-121-123-20010418) with ESMTP id <20011016160314.YCJY23247.fepA.post.tele.dk@arnold.neland.dk>; Tue, 16 Oct 2001 18:03:14 +0200 Received: from gina ([192.168.5.109]) by arnold.neland.dk (8.11.6/8.11.6) with SMTP id f9GG3kq48537; Tue, 16 Oct 2001 18:03:47 +0200 (CEST) (envelope-from leifn@neland.dk) Message-ID: <001e01c1565c$0a71e1a0$6d05a8c0@neland.dk> From: "Leif Neland" To: "Jan Knepper" Cc: "FreeBSD ISP" References: <3BCB15A2.1070504@digitaldaemon.com> <006d01c155be$740c60c0$6d05a8c0@neland.dk> <3BCB560C.6040107@digitaldaemon.com> Subject: Re: script for reporting IIS worms??? Date: Tue, 16 Oct 2001 18:03:03 +0200 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "Jan Knepper" To: "Leif Neland" Cc: "FreeBSD ISP" Sent: Monday, October 15, 2001 11:33 PM Subject: Re: script for reporting IIS worms??? > Leif Neland wrote: > > >>Hi, > >> > >>Has anyone by any chance written some kind of a script to report IIS > >>worms from Apache log files??? > >> > >If you just want an email: run this from cron: > > > >awk '/default.ida/ || /cmd.exe/ {print $1, substr($4,2,14)}' > >$access_log|sort -u > > > Well, I was actually looking for something that can scan the httpd log > files and do a reverse lookup of the client IP's and notify in an > intelligent way... > So far I have something created in an hour or two that reports the > client IP's and (if possible) does a reverse lookup (from httpd-access.log). > This creates now the list below. However it would be very cute if it > could report automaticly to those responsable.... > > Jan > > 12.34.72.140 > 216.116.103.202 202-103-116-216.pajo.com > 63.100.142.154 > 63.124.240.6 host61-06.prestige.net You could take the code from earlybird and send the messages as batch-processing instead of real-time. > >http://www.treachery.net/~jdyson/earlybird/ sends messages to the > >netblockowner according to a whois-lookup. > > > Cute! But I am not sure if I want to change the apache configuration for > all the virtual domains I run... > You don't have to do that. This takes care of all virtual domains; is only listed once. The aliases works for all virtual domains. AddHandler cgi-script .ida Alias /default.ida /home/htdocs/default.ida ScriptAliasMatch ^/MSADC/root\.exe(.*) /home/htdocs/default.ida$1 ScriptAliasMatch ^/scripts/root\.exe(.*) /home/htdocs/default.ida$1 ScriptAliasMatch ^/[cd]/winnt/system32/cmd\.exe(.*) /home/htdocs/default.ida$1 ScriptAliasMatch ^/_mem_bin(/\.\..*) /home/htdocs/default.ida$1 ScriptAliasMatch ^/_vti_bin(/\.\..*) /home/htdocs/default.ida$1 ScriptAliasMatch ^/msadc(/\.\..*) /home/htdocs/default.ida$1 ScriptAliasMatch ^/scripts(/\.\..*) /home/htdocs/default.ida$1 > >http://www.threenorth.com/LaBrea/ creates tarpits which creates > >virtual machines on unused ip's and tries to hold on to anything which > >accesses those ip's as long as possible while using minimal bandwidth. > > > Don't know it I want to do that either... Wouldn't hurt your network performance. > > Jan > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message