[Snort-users] Shell Script searching for Code Red and Nimda

Paul Asadoorian Paul_Asadoorian at ...2414...
Thu Sep 20 05:30:02 EDT 2001


I have created a shell script (Solaris) that searches the web logs for code
red and nimda.  It's not the prettiest thing in the world, but it works, and
it helps me to automatically detect any of my hosts that have been infected.

Paul

#
# Scans the apache web logs and sends email to the administrator notifying
# him/her about offenses that originate from the local address space
#
# Paul Asadoorian
# 09/03/2001
#
# Code Red format:
# 193.136.235.18 - - [04/Sep/2001:11:25:29 -0400] "GET /default.ida?XXXX
#
# Nimda Format:
# 128.230.182.42 - - [20/Sep/2001:07:26:57 -0400] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 301 263 "-" "-"


# Setup some variables
MY_ADDRESS_SPACE=192.168
EMAIL=security at ...3526...
APACHE_LOGS=/var/log/apache/access_log
# Change this to suit your needs, we don't use IIS much so this works for us
CODE_RED=".ida?"
NIMDA="c\+dir"

# Search for Code Red and save results
grep $CODE_RED $APACHE_LOGS | cut -d" " -f1 | sort | uniq | grep
$MY_ADDRESS_SPACE > /tmp/mycr.out
awk '{print "nslookup "$1}' /tmp/mycr.out | sh | grep -v "Server" | grep -v
128.148.128.9  > /tmp/crlookup.out

# Search for Nimbda and save results
grep $NIMDA $APACHE_LOGS | cut -d" " -f1 | sort | uniq | grep
$MY_ADDRESS_SPACE > /tmp/mynm.out
awk '{print "nslookup "$1}' /tmp/mynm.out | sh | grep -v "Server" | grep -v
128.148.128.9  > /tmp/nmlookup.out

cat /tmp/crlookup.out | mailx -s "Code Red attempt Found on `hostname`"
$EMAIL
cat /tmp/nmlookup.out | mailx -s "Nimda attempt Found on `hostname`" $EMAIL
sleep 2
rm -f  /tmp/mycr.out /tmp/crlookup.out /tmp/mynm.out /tmp/nmlookup.out








More information about the Snort-users mailing list