[Dshield] Code Red reporting (fwd)

Johannes B. Ullrich jullrich at euclidian.com
Tue Aug 28 12:23:13 GMT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hey all. I received the script below which is a nicer filter for CodeRed
logs. Enjoy.


- ---------- Forwarded message ----------
Date: Tue, 28 Aug 2001 06:30:11 -0700
From: Tom Carroll <tcarroll3 at hotmail.com>
To: info at dshield.org
Subject: Code Red reporting

Hello.  I saw an e-mail on the E-Smith developers list about sending reports to redalert at dshield.org and you folks would notify the appropriate folks about their infected server.

I've had more than my fair share of attempts on my server (APACHE) and wrote a script to run in my nightly crontab.

I'm including it so others may benefit and help stop the spread of the code red worm.

If you see any problems with this, please let me know.

Thank you for such a great service!

Tom Carroll
- ---
#! /bin/sh
#######################################################################
# Version 1.0                                                         #
# code_red_check.sh - Written by Tom Carroll (tcarroll3 at hotmail.com)  #
#                                                                     #
# This script/awk program is designed to check the httpd access log   #
# for the default.ida? string.  It will extract relevant lines from   #
# the log and e-mail them to redalert at dshield.org if it finds any     #
# entries.  A copy can be mailed to anyone else also.  Negative       #
# reports may be enabled also.                                        #
#                                                                     #
# This script should be set up in your crontab as a nightly event, or #
# you could just run it manually each day.  I've written the code to  #
# scan the /var/log/httpd/access_log file for any occurrence of the   #
# search string on the previous day.                                  #
#                                                                     #
# This script/program is free for anyone to use.  Please give credit  #
# where credit is due.                                                #
#                                                                     #
# Thanks to Kris Jordon for helping with this script.                 #
#                                                                     #
# Version 1.0 - Initial release                                       #
#######################################################################

# user defined variables
log_file="/var/log/httpd/access_log"
rpt_file="`dirname "$log_file"`/code_red.rpt"
mail_to="redalert at dshield.org"
mail_cc="tom"
search="/default.ida?"
rpt_head="`dirname "$log_file"`/rpt_head.txt"

awk '{if ($0 ~ "'$search'") {
          "date" | getline current_time
  close("date")
  split(current_time, date, " ")
  --date[3]
  yesterday = date[3]"/"date[2]"/"
  if ($0 ~ yesterday) {
      print $0 >>"'$rpt_file'"
          }
       }
}' "$log_file"

if [ -s "$rpt_file" ]; then
      mail -s "APACHE" "$mail_to" < "$rpt_file"
      attempts=`grep default.ida? "$rpt_file" | wc -l | tr -d ' '`
      echo "There were $attempts Code Red attempts in the past 24 hours.  Report follows:" > "$rpt_head"
      echo "----------------------------------------------------------------------------------" >> "$rpt_head"
      cat "$rpt_file" >> "$rpt_head"
      mail -s "CODE Red report" "$mail_cc" < "$rpt_head"
      rm "$rpt_file"
      rm "$rpt_head"
   else
      echo "No Code Red attempts in the past 24 hours." | mail -s "CODE RED report" "$mail_cc"
fi

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7i400VOIizK5pIDMRAqEpAKDYPb0xm6+4sGVTRI6zBUZN3BR38gCgrX/7
gp/8Yg3Zz/ctEydCUM0Z7Uo=
=oC78
-----END PGP SIGNATURE-----




More information about the list mailing list