[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Nimba scanner shell script

le 19.9.2001 14:38, Larkin Cunningham à lcunningham@xxxxxxxxxxxxx a écrit :

> I've tried your script and got a result of 20 scans from 10 different IP
> addresses.
> 
> Does the script indicate specifically nimda worm scans or just a number of
> scans that could be anything.
> 

>> Hi,
>> 
>> For those of you that are interested in seeing just how many scans
>> you are getting from the Nimda worm, try running this script as root:
>> 
>> -- start of script --
>> 
>> #!/bin/sh
>> # glen scott/design solution 2001 <glen@xxxxxxxxxxxxxxxxxxxx>
>> 
>> echo "Nimba worm scanner..."
>> 
>> #count individual scans:
>> INDIVIDUAL_SCANS=`cat /var/log/httpd/access | grep
>> '/scripts/root.exe?/c+dir' | wc -l`
>> 
>> #show source ip:
>> #cat /var/log/httpd/access | grep '/scripts/root.exe?/c+dir' | cut -d
>> ' ' -f2 | sort | uniq
>> 
>> #count unique source ips:
>> UNIQUE=`cat /var/log/httpd/access | grep '/scripts/root.exe?/c+dir' |
>> cut -d ' ' -f2 | sort | uniq | wc -l`
>> 
>> echo "We have received $INDIVIDUAL_SCANS scans from $UNIQUE different
>> IP addresses"
>> 
>> -- end of script --
>> 
>> Uncomment the line below '# show source ip' to get a list of every
>> unique source IP address.
>> 
>> Have fun,

Hi Larkin,
As you can see the grep is being made for the following string
/scripts/root.exe?/c+dir so if that bit is part of the nimba http request
string then you can more or less say that you specifically target the nimba
traces.

=======================================================================

Marco Baurdoux
Unix Administrator
Infomaniak Network SA
Avenue de la Praille 26
1227 Carouge
Switzerland
Tel: +41 (0)22 820 35 41
Fax: +41 (0)22 820 35 46
http://web.infomaniak.ch

Linux/Unix is very user friendly,
it's just very picky about who its friends are !!!

=======================================================================