[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Nimba scanner shell script
- Subject: Re: [cobalt-users] Nimba scanner shell script
- From: "Rich LaBo" <rlabo@xxxxxxxxx>
- Date: Wed Sep 19 06:25:08 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
----- Original Message -----
From: "Marco Baurdoux" <linux@xxxxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: September 19, 2001 4:03 PM
Subject: Re: [cobalt-users] Nimba scanner shell script
> le 19.9.2001 14:38, Larkin Cunningham à lcunningham@xxxxxxxxxxxxx a écrit
:
>
> > I've tried your script and got a result of 20 scans from 10 different IP
> > addresses.
> >
> > Does the script indicate specifically nimda worm scans or just a number
of
> > scans that could be anything.
> >
>
> >> Hi,
> >>
> >> For those of you that are interested in seeing just how many scans
> >> you are getting from the Nimda worm, try running this script as root:
> >>
> >> -- start of script --
> >>
> >> #!/bin/sh
> >> # glen scott/design solution 2001 <glen@xxxxxxxxxxxxxxxxxxxx>
> >>
> >> echo "Nimba worm scanner..."
> >>
> >> #count individual scans:
> >> INDIVIDUAL_SCANS=`cat /var/log/httpd/access | grep
> >> '/scripts/root.exe?/c+dir' | wc -l`
> >>
> >> #show source ip:
> >> #cat /var/log/httpd/access | grep '/scripts/root.exe?/c+dir' | cut -d
> >> ' ' -f2 | sort | uniq
> >>
> >> #count unique source ips:
> >> UNIQUE=`cat /var/log/httpd/access | grep '/scripts/root.exe?/c+dir' |
> >> cut -d ' ' -f2 | sort | uniq | wc -l`
> >>
> >> echo "We have received $INDIVIDUAL_SCANS scans from $UNIQUE different
> >> IP addresses"
> >>
> >> -- end of script --
> >>
> >> Uncomment the line below '# show source ip' to get a list of every
> >> unique source IP address.
> >>
> >> Have fun,
>
> Hi Larkin,
> As you can see the grep is being made for the following string
> /scripts/root.exe?/c+dir so if that bit is part of the nimba http request
> string then you can more or less say that you specifically target the
nimba
> traces.
>
> =======================================================================
>
> Marco Baurdoux
> Unix Administrator
> Infomaniak Network SA
> Avenue de la Praille 26
> 1227 Carouge
> Switzerland
> Tel: +41 (0)22 820 35 41
> Fax: +41 (0)22 820 35 46
> http://web.infomaniak.ch
>
> Linux/Unix is very user friendly,
> it's just very picky about who its friends are !!!
>
> =======================================================================
>
>
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>
Also, doesn't it look for cmd.exe as well? Since I was under that
impression when I ran the script, I made a addendum to it. Hope you don't
mind. 8)
#!/bin/sh
# glen scott/design solution 2001 <glen@xxxxxxxxxxxxxxxxxxxx>
echo "Nimba worm scanner..."
echo "Checking for root.exe and cmd.exe entries..."
#count individual scans:
INDIVIDUAL_SCANS1=`cat /var/log/httpd/access | grep 'cmd.exe' | wc -l`
INDIVIDUAL_SCANS2=`cat /var/log/httpd/access | grep 'root.exe' | wc -l`
#show source ip:
#cat /var/log/httpd/access | grep '/scripts/root.exe?/c+dir' | cut -d '
' -f2 | sort | uniq
#count unique source ips:
UNIQUE1=`cat /var/log/httpd/access | grep 'cmd.exe' | cut -d ' ' -f2 | sort
| uniq | wc -l`
UNIQUE2=`cat /var/log/httpd/access | grep 'root.exe' | cut -d ' ' -f2 | sort
| uniq | wc -l`
echo "We have received $INDIVIDUAL_SCANS1 scans for root.exe from $UNIQUE1
different IP addresses"
echo "We have received $INDIVIDUAL_SCANS2 scans for cmd.exe from $UNIQUE2
different IP addresses"
Thanks,
Rich