Thanks, I have taken all of your comments into
account and updated my script. However, it still
functions the same. Perhaps there should be an "if"
statement inthere somewhere stating "if I find a line
that has cmd.exe in it, capture the IP address to $1
and print it out"???
Al
-- Wiggins d'Anconia <[EMAIL PROTECTED]> wrote: >
>
> Alan Moote wrote:
> > Hey gang,
> >
> > As you will soon see, I am quite new to Perl. I
> am
> > trying to out put a list of IPs that are trying to
> > access cmd.exe on my webserver. The problem is,
> when
> > I run the script against my access_log the output
> is a
> > bunch of blank lines. Here's the script so far:
> >
> >
> > #!/usr/bin/perl -w
>
> use strict;
>
> > ## Use pattern matching to find IPs that have
> searched
> > for "cmd.exe"
> >
> > ## Example log lines:
> > ## 24.150.82.42 - - [08/Dec/2002:08:47:46 -0500]
> "GET
> > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 293
> "-"
> > "-"
> > ## 24.150.82.42 - - [08/Dec/2002:08:47:48 -0500]
> "GET
> > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 293
> "-"
> > "-"
> > ## 24.150.82.42 - - [08/Dec/2002:08:47:51 -0500]
> "GET
> > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir
> > HTTP/1.0" 404 307 "-" "-"
> >
> > $LogFile=$ARGV[0];
> >
> > ## Open the file called from command line, die
> with
> > error if not readable
> >
> > open(ACCLOG, "<$LogFile") || die "Cannot open
> > $LogFile\n";
> >
>
> better to use 'or' here instead of '||' ->
> precedence.
>
> > while(<ACCLOG>) {
> >
> >
>
/(^[0-9]{1-3}\.[0-9]{1-3}\.[0-9]{1-3}\.[0-9]{1-3})*.cmd\.exe*.$/g;
>
> instead of *. I believe you want .* for both
> occurrences in the above line.
>
>
> > print "$1\n";
> > }
> >
> > close(ACCLOG);
> >
> >
> > It's not much, and to me, it looks right, but
> > obviously I am overlooking some details.
> > Any ideas?
>
> http://danconia.org
>
__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
