RE: [cobalt-users] Nimba scanner shell script

["Larkin Cunningham" <lcunningham@xxxxxxxxxxxxx>]

I've tried your script and got a result of 20 scans from 10 different IP
addresses.

Does the script indicate specifically nimda worm scans or just a number of
scans that could be anything.

Regards,

Larkin Cunningham

> -----Original Message-----
> From: cobalt-users-admin@xxxxxxxxxxxxxxx
> [mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Glen Scott
> Sent: 19 September 2001 10:59
> To: cobalt-security@xxxxxxxxxxxxxxx; cobalt-users@xxxxxxxxxxxxxxx
> Subject: [cobalt-users] Nimba scanner shell script
>
>
> Hi,
>
> For those of you that are interested in seeing just how many scans
> you are getting from the Nimda worm, try running this script as root:
>
> -- start of script --
>
> #!/bin/sh
> # glen scott/design solution 2001 <glen@xxxxxxxxxxxxxxxxxxxx>
>
> echo "Nimba worm scanner..."
>
> #count individual scans:
> INDIVIDUAL_SCANS=`cat /var/log/httpd/access | grep
> '/scripts/root.exe?/c+dir' | wc -l`
>
> #show source ip:
> #cat /var/log/httpd/access | grep '/scripts/root.exe?/c+dir' | cut -d
> ' ' -f2 | sort | uniq
>
> #count unique source ips:
> UNIQUE=`cat /var/log/httpd/access | grep '/scripts/root.exe?/c+dir' |
> cut -d ' ' -f2 | sort | uniq | wc -l`
>
> echo "We have received $INDIVIDUAL_SCANS scans from $UNIQUE different
> IP addresses"
>
> -- end of script --
>
> Uncomment the line below '# show source ip' to get a list of every
> unique source IP address.
>
> Have fun,
>
> Glen Scott
>
> --
> ---
>    Design Solution Limited
>    t: +44 (0)1502 513008
>    f: +44 (0)1502 588622
>    e: info@xxxxxxxxxxxxxxxxxxxx
>    w: http://www.designsolution.co.uk
>    Nouvotech House, Harbour Road,
>    Oulton Broad, Suffolk, NR32 3LZ, UK
> ---
> DS Knowledge Base http://faq.dessol.co.uk
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>