Created
April 11, 2013 21:45
-
-
Save tlongren/5367462 to your computer and use it in GitHub Desktop.
Scan Apache logs for Nimda or Code Red worm attempts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/perl | |
########################################################################### | |
# This parses apache access log files for nimda or code red attempts. # | |
# It will return the number of attempts and will show the last one and # | |
# who it came from.. # | |
########################################################################### | |
# Author: Tyler L. Longren | |
# E-mail: tlongren@gmail.com | |
# URL: http://longren.org | |
# | |
# To get this to work, just modify the $log_file variable to point to your apache access log | |
use strict; | |
use Term::ANSIColor; | |
use Getopt::Std; | |
getopts("lphnc", \my %options); | |
sub usage { | |
print "Usage: ./worms.pl [-c] [-n] [-p] [-l] [-h] | |
-c : Scan for code red attempts | |
-h : Print this help message | |
-l : Log total attempts and date to .nimda.log or .codered.log | |
-n : Scan for nimda attempts | |
-p : Plain text, no color\n\n"; | |
} | |
my $log_file = "/usr/local/apache/logs/access_log"; | |
my $temp_file = "/tmp/worms.tmp"; | |
sub codered { | |
system("clear"); | |
open (LOGFILE, "$log_file") || die ("Could not open $log_file: $!"); | |
my @array; | |
while (<LOGFILE>) { | |
chomp; | |
push (@array, $_) | |
if m/default.ida/i; | |
print "Reading logs...\r"; | |
} | |
close (LOGFILE); | |
open (TEMPFILE, ">>$temp_file") || die ("Could not open $temp_file: $!"); | |
my $i=0; | |
while ($i <= "$#array") { | |
print TEMPFILE "$array[$i]\n"; | |
$i++; | |
} | |
close (TEMPFILE); | |
open (TEMPFILE, $temp_file) || die ("Could not open $temp_file: $!"); | |
my( $last_host ) = ( $array[$#array] =~ /([\d.]+)\s/ ); | |
my @attempts; | |
while (<TEMPFILE>) { | |
push (@attempts, $_) | |
if /\Q$last_host\E/; | |
print "Counting attempts from $last_host...\r"; | |
} | |
close (TEMPFILE); | |
# Begin getting the version of Code Red | |
my $signature = "$array[$#array]"; | |
$signature = substr($signature, 67, 3); | |
my $version; | |
if ($signature eq "NNN") { | |
$version = "Code Red I"; | |
} | |
elsif ($signature eq "XXX") { | |
$version = "Code Red II"; | |
} | |
else { | |
$version = "Code Red (Unknown)"; | |
} | |
# End getting the version of Code Red | |
system("clear"); | |
print "Scan Type: Code Red"; | |
print "\nVersion: $version"; | |
print "\nCode Red attempts: "; | |
my $total_attempts = scalar(@array); | |
if (defined $options{p}) { | |
print "$total_attempts"; | |
} | |
else { | |
print color("bold red"), "$total_attempts", color("reset"); | |
} | |
my $host_attempts = scalar(@attempts); | |
print "\nLast Host: $last_host"; | |
print "\nHost attempts: $host_attempts"; | |
print "\nLogfile: $log_file\nHere's the most recent Code Red attempt:\n---------------------------------------------------\n$array[$#array]\n---------------------------------------------------\n"; | |
if (defined $options{l}) { | |
my $date = `date --date 'today' '+%m.%d.%Y %T'`; | |
chomp $date; | |
open (OUTFILE, ">> .codered.log") || die ("Could not open .codered.log: $!"); | |
print OUTFILE "$total_attempts - $date\n"; | |
close (OUTFILE); | |
} | |
`rm $temp_file`; | |
} | |
sub nimda { | |
system("clear"); | |
open (LOGFILE, "$log_file") || die ("Could not open $log_file: $!"); | |
my @array; | |
while (<LOGFILE>) { | |
chomp; | |
push (@array, $_) | |
if m/c\+dir/i; | |
print "Reading logs...\r"; | |
} | |
close (LOGFILE); | |
open (TEMPFILE, ">>$temp_file") || die ("Could not open $temp_file: $!"); | |
my $i=0; | |
while ($i <= "$#array") { | |
print TEMPFILE "$array[$i]\n"; | |
$i++; | |
} | |
close (TEMPFILE); | |
open (TEMPFILE, $temp_file) || die ("Could not open $temp_file: $!"); | |
my( $last_host ) = ( $array[$#array] =~ /([\d.]+)\s/ ); | |
my @attempts; | |
while (<TEMPFILE>) { | |
push (@attempts, $_) | |
if /\Q$last_host\E/; | |
print "Counting attempts from $last_host...\r"; | |
} | |
close (TEMPFILE); | |
system("clear"); | |
print "Scan Type: Nimda"; | |
print "\nNimda attempts: "; | |
my $total_attempts = scalar(@array); | |
if (defined $options{p}) { | |
print "$total_attempts"; | |
} | |
else { | |
print color("bold red"), "$total_attempts", color("reset"); | |
} | |
if (defined $options{l}) { | |
print " (logged)"; | |
} | |
my $host_attempts = scalar(@attempts); | |
print "\nLast Host: $last_host"; | |
print "\nHost attempts: $host_attempts"; | |
print "\nLogfile: $log_file"; | |
print "\nHere's the most recent Nimda attempt:\n---------------------------------------------------\n$array[$#array]\n---------------------------------------------------\n"; | |
if (defined $options{l}) { | |
my $date = `date --date 'today' '+%m.%d.%Y %T'`; | |
chomp $date; | |
open (OUTFILE, ">> .nimda.log") || die ("Could not open .nimda.log: $!"); | |
print OUTFILE "$total_attempts - $date\n"; | |
close (OUTFILE); | |
} | |
`rm $temp_file`; | |
} | |
if (defined $options{c}) { | |
codered; | |
exit; | |
} | |
elsif (defined $options{n}) { | |
nimda; | |
exit; | |
} | |
else { | |
usage; | |
exit; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment