[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: code red goes on

after reading that "apparently" the latest code red attacks are coming from 
unsuspecting users of that utimate computer virus, i decided to scan the 
access log file and send messages to the "best guess" person at the owner of 
the ip address (usually a dial-up provider).

i modified the script by "Karsten M. Self" <kmself@ix.netcom.com> and then 
input the output to a perl script to send to the appropriate person. first, 
the modified command from karsten:

# code.red.sh

for i in $(grep 'default\.ida' $1 | awk '{print $1}')
	a=`grep -E $a $1 | sed -e 's/\(.*\)?.[NX].*/\1/' | awk '{print $1, $4, $5, 
$6, $7}'`
	b=`dig -x $i a | grep 'IN SOA' | awk '{print $6}'`
	echo $b $a

this created a line like

dns.deltacom.net. [02/Aug/2001:18:23:22 -0700] "GET 

given that the dns records aren't consistent from site to site, the contact 
name may require more search with "dig -x ip a", dig -x ip soa", dig -x ip", 
and whois. (out of the 79 code red hits i have gotten this month, 10 had no 
soa records of any kind, which strikes me as odd!). after manually checking 
the records (whilst changing the leading period to a '@' and removing the 
trailing period in the contact name (i.e., dns.deltacom.net. -> 

i then ran the following program which uses the above information:

use IO::File ;
use POSIX qw( tmpnam ) ;

$targetFile = virushosts.sorted ;
open( INPUT , "<$targetFile" )
      or die "Unable to open $targetFile for reading: $! \n" ;
$subject = "Code Red Virus Abuse" ;
$text = "Subject: $subject\n\nThe following record snippet was detected in 
our web server logs. It would\nappear that one of your dial-up users has been 
infected with the code red virus\nand has not taken the appropriate actions 
to eliminate the problem. Please take\nthe appropriate action to notify alert 
the user to this breach of acceptible\nbehavior in the internet 
community.\n\n" ;
$salutation="\n\n--\nRegards\n<your name>" ;
$program= "send" ;
$from="<abuse email>\@<your domain>" ;
$bcc="<your email>\@<your domain>" ;

while (<INPUT>)
   chomp ;
   @a=split ' ' ;
   $log="" ;

   $recipient=$a[0] ;

   for ($i=1;$i<=$#a;$i++)
      $log=$log.$a[$i]." ";

   $message="To: $recipient\nCc: $from\nBcc: $bcc\n".$text.$log.$salutation ;
      $name = tmpnam() 
   } until $fh = IO::File->new( $name , O_RDWR | O_CREAT | O_EXCL ) ;
   END { unlink( $name ) or die "Unable to unlink $name: $!\n" ; }

   print $fh $message ;
   $fh->close ;
   $command= $program." ".$name ;
   print "Send to $recipient\n" ;
   system( $command ) ;

   unlink $tmpfile ;
close( INPUT ) ;
exit ;

you will need to change the lines with <your email>,  <abuse email>,  and 
<your domain> as appropriate. this will send out an email to the contact of 
the ip owner, cc'ing your abuse email contact, and bcc'ing a copy to the user 
in the bcc field. NOTE: the from field will contain the email address of the 
user running the program, not the abuse email address (unless they happen to 
be the same.)

sequence of commands:

cd /usr/local/apache/logs
./code.red.sh access_log > virushosts
sort -o virushosts.sorted virushosts
vi virushosts.sorted #making changes noted above under code.red.sh

allen wayne best, esq
"your friendly neighborhood rambler owner"
"my rambler will go from 0 to 105"
Current date: 0:36:12::216:2001

"Is this foreplay?"
   "No, this is Nuke Strike.  Foreplay has lousy graphics.  Beat me again."
-- Duckert, in "Bad Rubber," Albedo #0 (comics)

Reply to: