[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Nimba scanner shell script

Subject: RE: [cobalt-users] Nimba scanner shell script
From: Greg Hewitt-Long <greg@xxxxxxxxxxxxxxxxxxx>
Date: Wed Sep 19 14:16:25 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

>On Wed, 19 Sep 2001, Joseph Brennskag wrote:
>
>> Thanks Glen for the script.  For the past 12 hours we've had 464 scans from
>>
>> I also took the liberty to modify your script to scan for code red scans as
>> well.  Had 12 scans from 12 different ip addresses on that in 12 hours.
>
>Could you post the mod ?

Thom,

make sure you run the later version posted, or this version I "fixed", as the original missed a bunch of scans (NIMDA doesn't always search for scripts/cmd.exe or scripts/root.exe - the directory varies quite considerably - so scans can be very different).

Also - I've streamlined the commands in the original and the follow up script - the greps didn't need the pipe and the cat  - use the filename in the grep and eliminate the cat.  Also, the final wc -l isn't needed in the first set of greps - getting the counts, as grep has a built in count of matching lines, using the -c option).

#!/bin/sh
# original code by: glen scott/design solution 2001 <glen@xxxxxxxxxxxxxxxxxxxx>
# streamlined & code-red: Greg Hewitt-Long - Web Your Busines Inc. <greg@xxxxxxxxxxxxxxxxxxx>

echo "Nimba worm scanner..."
echo "Checking for root.exe and cmd.exe entries..."

#count individual scans:
INDIVIDUAL_SCANS1=`grep -c 'cmd.exe' /var/log/httpd/access | wc -l`
INDIVIDUAL_SCANS2=`grep -c 'root.exe' /var/log/httpd/access | wc -l`

INDIVIDUAL_SCANS3=`grep -c 'NNNNNNNNNN' /var/log/httpd/access | wc -l`
INDIVIDUAL_SCANS4=`grep -c 'XXXXXXXXXX' /var/log/httpd/access | wc -l`

#count unique source ips:
UNIQUE1=`grep 'cmd.exe' /var/log/httpd/access| cut -d ' ' -f2 | sort -u |wc -l`
UNIQUE2=`grep 'root.exe' /var/log/httpd/access| cut -d ' ' -f2 | sort -u | wc -l`
UNIQUE3=`grep 'NNNNNNNNNN' /var/log/httpd/access| cut -d ' ' -f2 | sort -u | wc -l`
UNIQUE4=`grep 'XXXXXXXXXX' /var/log/httpd/access| cut -d ' ' -f2 | sort -u | wc -l`

ecgo "NIMDA Scans:"
echo "We have received $INDIVIDUAL_SCANS1 scans for root.exe from $UNIQUE1
different IP addresses"
echo "We have received $INDIVIDUAL_SCANS2 scans for cmd.exe  from $UNIQUE2
different IP addresses"

echo "Code Red Scans:"
echo "We have received $INDIVIDUAL_SCANS3 scans for Coded Red \"N\"  from $UNIQUE3
 different IP addresses"
echo "We have received $INDIVIDUAL_SCANS4 scans for Coded Red \"X\"  from $UNIQUE4
 different IP addresses"

I hope this helps..

Greg
-- 
http://www.webyourbusiness.com/
Providers of E-Commerce Software &
Web Design Consultancy and Services.
PH: (970)266-0195 FAX: (970)266-0158

References:
- RE: [cobalt-users] Nimba scanner shell script
  - From: baltimoremd

Prev by Date: Re: [cobalt-users] Extensive Hack Attack - Was C drive hack
Next by Date: RE: [cobalt-users] Qube 2 - MySQL
Previous by thread: RE: [cobalt-users] Nimba scanner shell script
Next by thread: RE: [cobalt-users] Nimba scanner shell script

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index