[Dshield] help identify IIS log entry

Daniel Gerald Kluge dkluge at acm.org
Thu Mar 27 22:44:41 GMT 2003


On Mercredi, mars 26, 2003, at 22:18 Europe/Zurich, John Hardin wrote:

> On Wed, 2003-03-26 at 09:12, Paul Chambers wrote:
>> I would be very interested to see the percentages of the different
>> scanners, worms, etc. active out there, which isn't always obvious 
>> from
>> the target port alone.
>
> That's what I'm aiming for, too.
>

Would it be possible to just get a rough idea, what the top scans are?

I just drop everything at the FW for the time being, and normally my 
top ports are 137, 80, 445, and then all the others, mostly PC 
riff-raff, which I don't really care about (hardly use my PC, and XP 
just stopped booting), so the usual 80, 8080 port scans are what 
interest me at least marginally.

I did use the following script to have a quick look at our Netscape 
Logs:

#!/usr/bin/perl

$file=shift || '/usr/netscape/server4/https-www.foo.com/logs/access';
open IN, $file or die "Cannot open file $file :$!\n";
while (<IN>) {
   if (/^(\S+) \S+ \S+ \[(\S+) [\-\+]\d\d\d\d\] "GET 
\/default.ida\?(\w)/) {
     if ($3 eq 'N') { $c="CodeRed" }
     elsif ($3 eq "X") { $c="CodeRedII" }
     else { $c="unknown $3" }
     print "$2 $1 $c\n";
   }
   elsif (/^(\S+) \S+ \S+ \[(\S+) \-\d{4}\] "GET 
\/scripts\/\.\.\%\%35c\.\.\/winnt\/system32\/cmd\.exe\?\/c\+dir/) {
     print "$2 $1 Nimda\n";
   }
}



More information about the list mailing list