[FUGSPBR] CodeRed EMAIL NOTIFYER script
applein
applein em tutopia.com.br
Qua Ago 15 01:27:02 BRT 2001
To: FOCUS-LINUX
Subject: CodeRed EMAIL NOTIFYER script
Date: Tue Aug 14 2001 18:43:15
Author: < falken em area66.com >
Message-ID: <Pine.LNX.4.21.0108141841290.5684-100000 em irc.area66.com>
Yes, it's simple, it just trims the domain of each gethostbyaddr()able IP
and sends an information email to admin em domain and info em domain telling
them a very short explanation of what is happening.
I know that depends on which systems, it would be a massive mailing
(think of SPAM) with devastator results... so, use it with care.
It can be optimized a lot... so, read the disclaimer at the top of the
script (-:
bye
PD: I am open to constructive criticisms.
--
Xavi Torres <admin em area66.com>
Administración de sistemas
Krypton Networks S.L.
http://www.kryptonetworks.com/
http://www.area66.com/
--8<------------8<------------8<-------------
#!/usr/bin/perl
#
# CodeRed httpd log analyzer and informer script,
# by XTR <admin em area66.com>, <rotten em wanadoo.es>
# Note/disclaimer:
# it's ugly, I did it on 2 minutes with a joint on the other hand
# (-:
#
use Socket;
# lets do some config.
# the httpd access log to look for the attacks.
$f_access="/var/log/httpd/access_log";
# the sendmail binary
$sendmail="/usr/sbin/sendmail";
# From: line at generated emails.
$email_from="admin\@very.worried.bout.security";
open(FACCESS,$f_access);
while(<FACCESS>){
if(/default\.ida\?/){
chop;
@lin=split(/ /,$_);
$ip=@lin[0];
$iaddr=inet_aton($ip);
$hostname=gethostbyaddr($iaddr,AF_INET);
if($hostname ne ""){
@ldom=split(/\./,$hostname);
$np=scalar @ldom;
$domain=join('.', em ldom[$np-2], em ldom[$np-1]);
print "Sending warning email to: admin\@$domain...\n";
open(EMAIL,"|$sendmail -t");
print EMAIL "From: $email_from\n";
print EMAIL "To: admin\@$domain\n";
print EMAIL "Cc: info\@$domain\n";
print EMAIL "Subject: You have a CodeRed infected server.\n";
print EMAIL "Hello,\n";
print EMAIL "This is an automated email with te purpose of notifying
you\n";
print EMAIL "that the machine with IP $ip from you network sent us
a\n";
print EMAIL "CodeRed attack destinated to our servers.\n";
print EMAIL "It happened due to a MicroSoft Internet Information
Server\n";
print EMAIL "security fault on that machine ($ip - $hostname).\n";
print EMAIL "I recommend you to take the appropiated measures and
get\n";
print EMAIL "information at http://www.microsoft.com/ about how to
fix\n";
print EMAIL "the problem.\n";
print EMAIL "Luck!\n";
print EMAIL "\n";
close(EMAIL);
}
}
}
close(FACCESS);
--8<------------8<------------8<-------------
, ,
/( )`
\ \___ / |
/- _ `-/ '
(/\/ \ \ /\
/ / | ` \
O O ) / |
`-^--'`< '
TM (_.) _ ) /
| | |\ | ~|~ \ / `.___/` /
| | | \ | | X `-----' /
`__| | \| _|_ / \ <----. __ / __ \
<----|====O)))==) \) /====
<----' `--' `.__,' \
| |
\ /
______( (_ / \______
,' ,-----' | \
`--{__________) \/
----
Para sair da lista envie um e-mail para majordomo em fugspbr.org
com as palavras "unsubscribe fugspbr" no corpo da mensagem.
Mais detalhes sobre a lista de discussão freebsd