[FUGSPBR] CodeRed EMAIL NOTIFYER script

applein applein em tutopia.com.br
Qua Ago 15 01:27:02 BRT 2001


To: FOCUS-LINUX
Subject: CodeRed EMAIL NOTIFYER script
Date: Tue Aug 14 2001 18:43:15
Author: < falken em area66.com >
Message-ID: <Pine.LNX.4.21.0108141841290.5684-100000 em irc.area66.com>

Yes, it's simple, it just trims the domain of each gethostbyaddr()able IP
and sends an information email to admin em domain and info em domain telling
them a very short explanation of what is happening.

I know that depends on which systems, it would be a massive mailing
(think of SPAM) with devastator results... so, use it with care.

It can be optimized a lot... so, read the disclaimer at the top of the
script (-:

bye

PD: I am open to constructive criticisms.

--

Xavi Torres <admin em area66.com>
Administración de sistemas
Krypton Networks S.L.
http://www.kryptonetworks.com/
http://www.area66.com/


--8<------------8<------------8<-------------

#!/usr/bin/perl

#
# CodeRed httpd log analyzer and informer script,
# by XTR <admin em area66.com>, <rotten em wanadoo.es>
# Note/disclaimer:
# it's ugly, I did it on 2 minutes with a joint on the other hand
# (-:
#

use Socket;

# lets do some config.
# the httpd access log to look for the attacks.
$f_access="/var/log/httpd/access_log";
# the sendmail binary
$sendmail="/usr/sbin/sendmail";
# From: line at generated emails.
$email_from="admin\@very.worried.bout.security";

open(FACCESS,$f_access);
while(<FACCESS>){
if(/default\.ida\?/){
chop;
@lin=split(/ /,$_);
$ip=@lin[0];
$iaddr=inet_aton($ip);
$hostname=gethostbyaddr($iaddr,AF_INET);
if($hostname ne ""){
@ldom=split(/\./,$hostname);
$np=scalar @ldom;
$domain=join('.', em ldom[$np-2], em ldom[$np-1]);
print "Sending warning email to: admin\@$domain...\n";
open(EMAIL,"|$sendmail -t");
print EMAIL "From: $email_from\n";
print EMAIL "To: admin\@$domain\n";
print EMAIL "Cc: info\@$domain\n";
print EMAIL "Subject: You have a CodeRed infected server.\n";
print EMAIL "Hello,\n";
print EMAIL "This is an automated email with te purpose of notifying
you\n";
print EMAIL "that the machine with IP $ip from you network sent us
a\n";
print EMAIL "CodeRed attack destinated to our servers.\n";
print EMAIL "It happened due to a MicroSoft Internet Information
Server\n";
print EMAIL "security fault on that machine ($ip - $hostname).\n";
print EMAIL "I recommend you to take the appropiated measures and
get\n";
print EMAIL "information at http://www.microsoft.com/ about how to
fix\n";
print EMAIL "the problem.\n";
print EMAIL "Luck!\n";
print EMAIL "\n";
close(EMAIL);
}
}
}
close(FACCESS);

--8<------------8<------------8<-------------






                                    ,        ,
                                   /(        )`
                                   \ \___   / |
                                   /- _  `-/  '
                                  (/\/ \ \   /\
                                  / /   | `    \
                                  O O   ) /    |
                                  `-^--'`<     '
                      TM         (_.)  _  )   /
   |  | |\  | ~|~ \ /             `.___/`    /
   |  | | \ |  |   X                `-----' /
   `__| |  \| _|_ / \  <----.     __ / __   \
                       <----|====O)))==) \) /====
                       <----'    `--' `.__,' \
                                    |        |
                                     \       /
                                ______( (_  / \______
                              ,'  ,-----'   |        \
                              `--{__________)        \/

----
Para sair da lista envie um e-mail para majordomo em fugspbr.org
com as palavras "unsubscribe fugspbr" no corpo da mensagem.



Mais detalhes sobre a lista de discussão freebsd