grifferz/attackers.sh

## attackers.sh
#!/bin/bash
#
# Dumb script to resolve a list of IPs to their reverse DNS and AS details.
#
# This directly calls whois against whois.cymru.com for each line of input
# so if you're going to run it with hundreds of lines of input, maybe don't
# do that and use their DNS zone instead.
#
# Usage
# Pipe a list of counts and IP addresses through me like:
#
# $ grep badstuff /var/log/thing \
#   | thing_to_isolate_an_IP \
#   | sort | uniq -c | sort -rn \
#   | attackers.sh
#
#
# Then output be like:
#
# Count  Attacker                                       Country AS
# -------------------------------------------------------------------------------------------------
#    18  89.248.171.57   ( scanner20.openportstats.com) NL      INT-NETWORK, SC [AS202425]
#     8  163.172.157.143 (143-157-172-163.rev.cloud.scaleway.com) GB      AS12876, FR [AS12876]
#     6  104.237.134.176 (li810-176.members.linode.com) US      LINODE-AP Linode, LLC, US [AS63949]
#     3  149.56.142.192  (       192.ip-149-56-142.net) CA      OVH, FR    [AS16276]

printf "Count  %-45s  Country AS\n" Attacker
printf '%.0s-' {1..97}
echo ""
while read count ip; do
    name=$(dig +short -x $ip | sed -e 's/\.$//')
    name="${name:-Unset reverse DNS}"

    # All this "bar" nonsense because I didn't want to have to strip the spaces.
    echo $(whois -h whois.cymru.com "-v $ip" | tail -1) \
        | while read asn bar asip bar prefix bar cc bar reg bar alloc bar asname; do
            printf "%5u  %-15s (%28s) %-7s %-10s [AS%s]\n" "$count" "$ip" "$name" "$cc" "$asname" "$asn"
          done
done
	#!/bin/bash
	#
	# Dumb script to resolve a list of IPs to their reverse DNS and AS details.
	#
	# This directly calls whois against whois.cymru.com for each line of input
	# so if you're going to run it with hundreds of lines of input, maybe don't
	# do that and use their DNS zone instead.
	#
	# Usage
	# Pipe a list of counts and IP addresses through me like:
	#
	# $ grep badstuff /var/log/thing \
	# \| thing_to_isolate_an_IP \
	# \| sort \| uniq -c \| sort -rn \
	# \| attackers.sh
	#
	#
	# Then output be like:
	#
	# Count Attacker Country AS
	# -------------------------------------------------------------------------------------------------
	# 18 89.248.171.57 ( scanner20.openportstats.com) NL INT-NETWORK, SC [AS202425]
	# 8 163.172.157.143 (143-157-172-163.rev.cloud.scaleway.com) GB AS12876, FR [AS12876]
	# 6 104.237.134.176 (li810-176.members.linode.com) US LINODE-AP Linode, LLC, US [AS63949]
	# 3 149.56.142.192 ( 192.ip-149-56-142.net) CA OVH, FR [AS16276]

	printf "Count %-45s Country AS\n" Attacker
	printf '%.0s-' {1..97}
	echo ""
	while read count ip; do
	name=$(dig +short -x $ip \| sed -e 's/\.$//')
	name="${name:-Unset reverse DNS}"

	# All this "bar" nonsense because I didn't want to have to strip the spaces.
	echo $(whois -h whois.cymru.com "-v $ip" \| tail -1) \
	\| while read asn bar asip bar prefix bar cc bar reg bar alloc bar asname; do
	printf "%5u %-15s (%28s) %-7s %-10s [AS%s]\n" "$count" "$ip" "$name" "$cc" "$asname" "$asn"
	done
	done