Shell Script searching for Code Red and Nimda

["Paul Asadoorian" <Paul_Asadoorian () brown edu>]

I have created a shell script (Solaris) that searches the web logs for code
red and nimda.  It's not the prettiest thing in the world, but it works, and
it helps me to automatically detect any of my hosts that have been infected.

Paul

#
# Scans the apache web logs and sends email to the administrator notifying
# him/her about offenses that originate from the local address space
#
# Paul Asadoorian
# 09/03/2001
#
# Code Red format:
# 193.136.235.18 - - [04/Sep/2001:11:25:29 -0400] "GET /default.ida?XXXX
#
# Nimda Format:
# 128.230.182.42 - - [20/Sep/2001:07:26:57 -0400] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 301 263 "-" "-"


# Setup some variables
MY_ADDRESS_SPACE=192.168
EMAIL=security () mydomain com
APACHE_LOGS=/var/log/apache/access_log
# Change this to suit your needs, we don't use IIS much so this works for us
CODE_RED=".ida?"
NIMDA="c\+dir"

# Search for Code Red and save results
grep $CODE_RED $APACHE_LOGS | cut -d" " -f1 | sort | uniq | grep
$MY_ADDRESS_SPACE > /tmp/mycr.out
awk '{print "nslookup "$1}' /tmp/mycr.out | sh | grep -v "Server" | grep -v
128.148.128.9  > /tmp/crlookup.out

# Search for Nimbda and save results
grep $NIMDA $APACHE_LOGS | cut -d" " -f1 | sort | uniq | grep
$MY_ADDRESS_SPACE > /tmp/mynm.out
awk '{print "nslookup "$1}' /tmp/mynm.out | sh | grep -v "Server" | grep -v
128.148.128.9  > /tmp/nmlookup.out

cat /tmp/crlookup.out | mailx -s "Code Red attempt Found on `hostname`"
$EMAIL
cat /tmp/nmlookup.out | mailx -s "Nimda attempt Found on `hostname`" $EMAIL
sleep 2
rm -f  /tmp/mycr.out /tmp/crlookup.out /tmp/mynm.out /tmp/nmlookup.out





_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users