Re: code red goes on
after reading that "apparently" the latest code red attacks are coming from
unsuspecting users of that utimate computer virus, i decided to scan the
access log file and send messages to the "best guess" person at the owner of
the ip address (usually a dial-up provider).
i modified the script by "Karsten M. Self" <kmself@ix.netcom.com> and then
input the output to a perl script to send to the appropriate person. first,
the modified command from karsten:
#!/bin/sh
# code.red.sh
for i in $(grep 'default\.ida' $1 | awk '{print $1}')
do
a=\(.*\)$i\(.*\)default\.ida
a=`grep -E $a $1 | sed -e 's/\(.*\)?.[NX].*/\1/' | awk '{print $1, $4, $5,
$6, $7}'`
b=`dig -x $i a | grep 'IN SOA' | awk '{print $6}'`
echo $b $a
done
this created a line like
dns.deltacom.net. 209.192.99.162 [02/Aug/2001:18:23:22 -0700] "GET
/default.ida
given that the dns records aren't consistent from site to site, the contact
name may require more search with "dig -x ip a", dig -x ip soa", dig -x ip",
and whois. (out of the 79 code red hits i have gotten this month, 10 had no
soa records of any kind, which strikes me as odd!). after manually checking
the records (whilst changing the leading period to a '@' and removing the
trailing period in the contact name (i.e., dns.deltacom.net. ->
dns@deltacom.net)
i then ran the following program which uses the above information:
#!/usr/bin/perl
#codred.pl
use IO::File ;
use POSIX qw( tmpnam ) ;
$targetFile = virushosts.sorted ;
open( INPUT , "<$targetFile" )
or die "Unable to open $targetFile for reading: $! \n" ;
$subject = "Code Red Virus Abuse" ;
$text = "Subject: $subject\n\nThe following record snippet was detected in
our web server logs. It would\nappear that one of your dial-up users has been
infected with the code red virus\nand has not taken the appropriate actions
to eliminate the problem. Please take\nthe appropriate action to notify alert
the user to this breach of acceptible\nbehavior in the internet
community.\n\n" ;
$salutation="\n\n--\nRegards\n<your name>" ;
$program= "send" ;
$from="<abuse email>\@<your domain>" ;
$bcc="<your email>\@<your domain>" ;
while (<INPUT>)
{
chomp ;
@a=split ' ' ;
$log="" ;
$recipient=$a[0] ;
for ($i=1;$i<=$#a;$i++)
{
$log=$log.$a[$i]." ";
}
$message="To: $recipient\nCc: $from\nBcc: $bcc\n".$text.$log.$salutation ;
do
{
$name = tmpnam()
} until $fh = IO::File->new( $name , O_RDWR | O_CREAT | O_EXCL ) ;
END { unlink( $name ) or die "Unable to unlink $name: $!\n" ; }
print $fh $message ;
$fh->close ;
$command= $program." ".$name ;
print "Send to $recipient\n" ;
system( $command ) ;
unlink $tmpfile ;
}
close( INPUT ) ;
exit ;
you will need to change the lines with <your email>, <abuse email>, and
<your domain> as appropriate. this will send out an email to the contact of
the ip owner, cc'ing your abuse email contact, and bcc'ing a copy to the user
in the bcc field. NOTE: the from field will contain the email address of the
user running the program, not the abuse email address (unless they happen to
be the same.)
sequence of commands:
cd /usr/local/apache/logs
./code.red.sh access_log > virushosts
sort -o virushosts.sorted virushosts
vi virushosts.sorted #making changes noted above under code.red.sh
./codered.pl
--
regards,
allen wayne best, esq
"your friendly neighborhood rambler owner"
"my rambler will go from 0 to 105"
Current date: 0:36:12::216:2001
"Is this foreplay?"
"No, this is Nuke Strike. Foreplay has lousy graphics. Beat me again."
-- Duckert, in "Bad Rubber," Albedo #0 (comics)
Reply to: