[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Re: [cobalt-security] Nimba scanner shell script
- Subject: Re: [cobalt-users] Re: [cobalt-security] Nimba scanner shell script
- From: Greg Hewitt-Long <greg@xxxxxxxxxxxxxxxxxxx>
- Date: Sat Sep 22 18:14:16 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
>I've added a few lines and now the php script can display the IP addresses
>making the attacks. Just cut and paste into a text editor the resulting IP.
>Then Search and Replace spaces with carriage returns.
>Greg O
Greg,
replace the `cat logfile | grep 'string'| wc -l` commands with `grep -c 'string' logfile` - it's a lot more efficient, as there won't be a bunch of temporary files or memory used (only a little - not a lot).
regards
Greg
>greg@xxxxxxxxxxxxxx
>
><!--Start Code-->
><html><head>
>
><title>PERL Worm Scanner by [kjv]</title>
>
></head>
>
><B><H3>Code Red, Nimda and Other Worm Scanner </H3></B>
>
>By <a href="mailto:webmaster@xxxxxxxxxxxxx";>Kham Vue</a><br>
>
><a href="http://www.sengtroni.com";>www.sengtroni.com</a><br>
>
>IP Display by <a href="mailto:greg@xxxxxxxxxxxxxx";>Greg Ogorek</a><br>
>
>Original SHELL script by Glenn Scott glen@xxxxxxxxxxxxxxxxxxxxx
>
><P>
>This server has received <B>
><?system("cat /var/log/httpd/access | grep '/scripts/root.exe?/c+dir' |
>wc -l") or die ("Could not open web logs!");?>
></B> scans for <i>"/script/root.exe"</i> from <b>
><?system("cat /var/log/httpd/access | grep '/scripts/root.exe?/c+dir' |
>cut -d '' -f2 | sort | uniq | wc -l");?>
></b> different IP addresses! <BR>
>
><P>
>This server has received <B>
><?system("cat /var/log/httpd/access | grep 'cmd.exe'|wc -l") or die ("Could
>not open web logs!");?>
></B> scans for <i>"cmd.exe"</i> from <b>
><?system("cat /var/log/httpd/access | grep 'cmd.exe' | cut -d '' -f2 | sort
>| uniq | wc -l");?>
></b> different IP addresses! <BR>
>
>
><p>
>The server has been attacked <B>
>
><?system("cat /var/log/httpd/access | grep '/default.ida'|wc -l")?>
>
></b> times by the Code Red Virus from <b>
>
><?system("cat /var/log/httpd/access | grep '/default.ida' | cut -d '' -f2 |
>sort | uniq | wc -l");?>
>
></b> different IP Addresses!!!!
>
><P><HR>
><b>Nimda Attacks by IP</b><br>
><?system("cat /var/log/httpd/access | grep '/scripts/root.exe?/c+dir' |
>cut -d ' ' -f2 | sort | uniq");?><br>
>
><P><HR>
><b>Code Red Attacks by IP</b><br>
><?system("cat /var/log/httpd/access | grep '/default.ida' | cut -d ' ' -f2 |
>sort | uniq");?><br>
>
><P><HR>
>
>This script comes "as is". Any modifications, please update the author via
>email.
>
></body></html>
><!--END CODE-->
>
>_______________________________________________
>cobalt-users mailing list
>cobalt-users@xxxxxxxxxxxxxxx
>To Subscribe or Unsubscribe, please go to:
>http://list.cobalt.com/mailman/listinfo/cobalt-users
--
http://www.webyourbusiness.com/
Providers of E-Commerce Software &
Web Design Consultancy and Services.
PH: (970)266-0195 FAX: (970)266-0158