Home page logo
/

nanog logo nanog mailing list archives

Re: [isp-linux] RE: Massive port 80 hits
From: "Bill Larson" <blarson () compu net>
Date: Tue, 18 Sep 2001 14:18:09 -0500


#!/usr/bin/perl

# IISBLOCK - Infected IIS server blocking utility.
# by Bill Larson <blarson () compu net> of Compu-Net Enterprises.
# http://www.compu.net. This header must be kept intact if you
# wish to redistribute the script.

my $check = 0;
my $line = "";
my $weblog = "/etc/www/logs/access_log";
my $infection = "/root/infected";
my $removelist = "/root/fwclean";

# create the removelist file so that you can chmod it later and
# automatically clear the firewall.. chmod 700 iisblock

open (HTFILE3, ">$removelist");
print HTFILE3 "#!/bin/sh\n";
close(HTFILE3);

#open the web server log file specified above and start processing

open (HTFILE, "$weblog");
until (eof (HTFILE))
{
  $line  =<HTFILE>;
  chop ($line);

#Pattern match on IIS Attempts then strip down to the hostname/ip addresss

  if ($line =~ /.*\/winnt\/system32\/.*/) {
    $line =~ s/\ -.*//gi;

# This host is infected so lets do something about it.
    &infected;
  }
}
close(HTFILE);

sub infected {
  $check = 0;

# begin a check to ensure that we only take action once.

  open (HTFILE2, "$infection");
  until (eof (HTFILE2)){
    $dupe  =<HTFILE2>;
    chop ($dupe);
    if ($line =~ /$dupe/){
      $check = 1;
    }
    else {
    }
  }
  close(HTFILE2);

# If this is a unique host continue

  if ($check eq "0") {

# time to add to the list of infected hosts

    open (HTFILE2, ">>$infection");
    print HTFILE2 "$line\n";
    close(HTFILE2);

# add using the specified add command 
# firewall software will print an error on invalid hostnames.
# Zap them one at a time maunally

    system ("/sbin/ipchains -I input -s $line -j DENY -l");

# write firewall removal line to the remove list file
# modify this line for your specific firewall software

    open (HTFILE3, ">>$removelist");
    print HTFILE3 "/sbin/ipchains -D input -s $line -j DENY -l\n";
    close(HTFILE3);
  }

# That's all folks!

}



  By Date           By Thread  

Current thread:
  • Re: [isp-linux] RE: Massive port 80 hits Bill Larson (Sep 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault