[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Nimba scanner shell script
- Subject: Re: [cobalt-users] Nimba scanner shell script
- From: "William Moore" <bmoore@xxxxxxxxxxxxxxxxx>
- Date: Wed Sep 19 12:02:13 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
----- Original Message -----
From: "Rich LaBo" <rlabo@xxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Wednesday, September 19, 2001 4:06 PM
Subject: Re: [cobalt-users] Nimba scanner shell script
> Also, doesn't it look for cmd.exe as well? Since I was under that
> impression when I ran the script, I made a addendum to it. Hope you don't
> mind. 8)
>
> #!/bin/sh
> # glen scott/design solution 2001 <glen@xxxxxxxxxxxxxxxxxxxx>
>
> echo "Nimba worm scanner..."
> echo "Checking for root.exe and cmd.exe entries..."
>
> #count individual scans:
> INDIVIDUAL_SCANS1=`cat /var/log/httpd/access | grep 'cmd.exe' | wc -l`
> INDIVIDUAL_SCANS2=`cat /var/log/httpd/access | grep 'root.exe' | wc -l`
>
> #show source ip:
> #cat /var/log/httpd/access | grep '/scripts/root.exe?/c+dir' | cut -d '
> ' -f2 | sort | uniq
>
> #count unique source ips:
> UNIQUE1=`cat /var/log/httpd/access | grep 'cmd.exe' | cut -d ' ' -f2 |
sort
> | uniq | wc -l`
> UNIQUE2=`cat /var/log/httpd/access | grep 'root.exe' | cut -d ' ' -f2 |
sort
> | uniq | wc -l`
>
> echo "We have received $INDIVIDUAL_SCANS1 scans for root.exe from $UNIQUE1
> different IP addresses"
> echo "We have received $INDIVIDUAL_SCANS2 scans for cmd.exe from $UNIQUE2
> different IP addresses"
>
> Thanks,
>
> Rich
>
after running this script I found that one of my machines had this to
report.
Nimba worm scanner...
Checking for root.exe and cmd.exe entries...
We have received 19085 scans for root.exe from 374 different IP
addresses
We have received 5545 scans for cmd.exe from 457 different IP
addresses
OUCH !
I have 6 other machines on 5 other Class C's !!
Bill