[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Nimba scanner shell script
- Subject: Re: [cobalt-users] Nimba scanner shell script
- From: Greg Hewitt-Long <greg@xxxxxxxxxxxxxxxxxxx>
- Date: Wed Sep 19 13:34:11 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
>le 19.9.2001 14:38, Larkin Cunningham à lcunningham@xxxxxxxxxxxxx a écrit :
>
>> I've tried your script and got a result of 20 scans from 10 different IP
>> addresses.
>>
>> Does the script indicate specifically nimda worm scans or just a number of
>> scans that could be anything.
>>
>
>>> Hi,
>>>
>>> For those of you that are interested in seeing just how many scans
>>> you are getting from the Nimda worm, try running this script as root:
>>>
>>> -- start of script --
What about the cmd.exe scans, of which there are MANY more than the root.exe http requests??
try this script, modified from the original I wrote to count new and old code red scans:
#!/bin/sh
echo "content-type: text/html
<H1>Getting NIMDA Data...</H1>"
if [ -f "/tmp/nimda_lock.txt" ]
then
echo "NIMDA counts in progress - please try again in a few minutes<BR><BR>
<A HREF=\"$SCRIPT_URI\">Click HERE to retry</A>"
exit 0
fi
touch /tmp/nimda_lock.txt
egrep 'root.exe|cmd.exe' /home/log/hpd/access > ./nimda_now.txt
cat nimda_now.txt nimda_history.txt | sort -u > ./nimda_unique.txt
cat nimda_unique.txt > nimda_history.txt
echo "<P><TABLE BORDER=0><TR><TD>
Count of NIMDA Aacks:
</TD><TD>
`cat nimda_history.txt | wc -l`
</TD></TR>"
cat nimda_history.txt|cut -d\ -f2|sort|uniq -c|sort -r -n > nimda_count.txt
echo "<TR><TD>
Count of Old ("root.exe") NIMDA Aacks:
</TD><TD>`grep 'root.exe' nimda_history.txt| wc -l`</TD></TR>
<TR><TD>Count of NEW ("cmd.exe") NIMDA Aacks:</TD><TD>
`grep 'cmd.exe' nimda_history.txt| wc -l`</TD></TR>
<TR><TD>Unique IPs issuing NIMDA Aacks:</TD><TD>
`cat nimda_count.txt| wc -l`</TD></TR></TABLE></P>"
echo "<P><A HREF=\"/cgi-bin/nimda_count.txt\">Here are the counts by
originating IP</A></P>"
echo "<P><A HREF=\"/cgi-bin/nimda_history.txt\">Here are the Hits
themselves - <BR><pre>`ls -l nimda_history.txt`</pre></A></P>"
rm /tmp/nimda_lock.txt
exit 0
> >>
>>> #!/bin/sh
>>> # glen scott/design solution 2001 <glen@xxxxxxxxxxxxxxxxxxxx>
>>>
>>> echo "Nimba worm scanner..."
>>>
>>> #count individual scans:
>>> INDIVIDUAL_SCANS=`cat /var/log/httpd/access | grep
>>> '/scripts/root.exe?/c+dir' | wc -l`
>>>
>>> #show source ip:
>>> #cat /var/log/httpd/access | grep '/scripts/root.exe?/c+dir' | cut -d
>>> ' ' -f2 | sort | uniq
>>>
>>> #count unique source ips:
>>> UNIQUE=`cat /var/log/httpd/access | grep '/scripts/root.exe?/c+dir' |
>>> cut -d ' ' -f2 | sort | uniq | wc -l`
>>>
>>> echo "We have received $INDIVIDUAL_SCANS scans from $UNIQUE different
>>> IP addresses"
>>>
>>> -- end of script --
>>>
>>> Uncomment the line below '# show source ip' to get a list of every
>>> unique source IP address.
>>>
>>> Have fun,
>
>Hi Larkin,
>As you can see the grep is being made for the following string
>/scripts/root.exe?/c+dir so if that bit is part of the nimba http request
>string then you can more or less say that you specifically target the nimba
>traces.
>
>=======================================================================
>
>Marco Baurdoux
>Unix Administrator
>Infomaniak Network SA
>Avenue de la Praille 26
>1227 Carouge
>Switzerland
>Tel: +41 (0)22 820 35 41
>Fax: +41 (0)22 820 35 46
>http://web.infomaniak.ch
>
>Linux/Unix is very user friendly,
>it's just very picky about who its friends are !!!
>
>=======================================================================
>
>
>
>_______________________________________________
>cobalt-users mailing list
>cobalt-users@xxxxxxxxxxxxxxx
>To Subscribe or Unsubscribe, please go to:
>http://list.cobalt.com/mailman/listinfo/cobalt-users
--
http://www.webyourbusiness.com/
Providers of E-Commerce Software &
Web Design Consultancy and Services.
PH: (970)266-0195 FAX: (970)266-0158