To: FOCUS-LINUX Subject: CodeRed EMAIL NOTIFYER script Date: Tue Aug 14 2001 18:43:15 Author: < [EMAIL PROTECTED] > Message-ID: <[EMAIL PROTECTED]> Yes, it's simple, it just trims the domain of each gethostbyaddr()able IP and sends an information email to admin@domain and info@domain telling them a very short explanation of what is happening. I know that depends on which systems, it would be a massive mailing (think of SPAM) with devastator results... so, use it with care. It can be optimized a lot... so, read the disclaimer at the top of the script (-: bye PD: I am open to constructive criticisms. -- Xavi Torres <[EMAIL PROTECTED]> Administraci�n de sistemas Krypton Networks S.L. http://www.kryptonetworks.com/ http://www.area66.com/ --8<------------8<------------8<------------- #!/usr/bin/perl # # CodeRed httpd log analyzer and informer script, # by XTR <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> # Note/disclaimer: # it's ugly, I did it on 2 minutes with a joint on the other hand # (-: # use Socket; # lets do some config. # the httpd access log to look for the attacks. $f_access="/var/log/httpd/access_log"; # the sendmail binary $sendmail="/usr/sbin/sendmail"; # From: line at generated emails. $email_from="admin\@very.worried.bout.security"; open(FACCESS,$f_access); while(<FACCESS>){ if(/default\.ida\?/){ chop; @lin=split(/ /,$_); $ip=@lin[0]; $iaddr=inet_aton($ip); $hostname=gethostbyaddr($iaddr,AF_INET); if($hostname ne ""){ @ldom=split(/\./,$hostname); $np=scalar @ldom; $domain=join('.',@ldom[$np-2],@ldom[$np-1]); print "Sending warning email to: admin\@$domain...\n"; open(EMAIL,"|$sendmail -t"); print EMAIL "From: $email_from\n"; print EMAIL "To: admin\@$domain\n"; print EMAIL "Cc: info\@$domain\n"; print EMAIL "Subject: You have a CodeRed infected server.\n"; print EMAIL "Hello,\n"; print EMAIL "This is an automated email with te purpose of notifying you\n"; print EMAIL "that the machine with IP $ip from you network sent us a\n"; print EMAIL "CodeRed attack destinated to our servers.\n"; print EMAIL "It happened due to a MicroSoft Internet Information Server\n"; print EMAIL "security fault on that machine ($ip - $hostname).\n"; print EMAIL "I recommend you to take the appropiated measures and get\n"; print EMAIL "information at http://www.microsoft.com/ about how to fix\n"; print EMAIL "the problem.\n"; print EMAIL "Luck!\n"; print EMAIL "\n"; close(EMAIL); } } } close(FACCESS); --8<------------8<------------8<------------- , , /( )` \ \___ / | /- _ `-/ ' (/\/ \ \ /\ / / | ` \ O O ) / | `-^--'`< ' TM (_.) _ ) / | | |\ | ~|~ \ / `.___/` / | | | \ | | X `-----' / `__| | \| _|_ / \ <----. __ / __ \ <----|====O)))==) \) /==== <----' `--' `.__,' \ | | \ / ______( (_ / \______ ,' ,-----' | \ `--{__________) \/ Assinantes em 14/08/2001: 2266 Mensagens recebidas desde 07/01/1999: 127861 Historico e [des]cadastramento: http://linux-br.conectiva.com.br Assuntos administrativos e problemas com a lista: mailto:[EMAIL PROTECTED]
