[42645] in North American Network Operators' Group
Re: [isp-linux] RE: Massive port 80 hits
daemon@ATHENA.MIT.EDU (Bill Larson)
Tue Sep 18 16:02:36 2001
Message-ID: <00d801c14076$aab21280$2223f8d8@compu.net>
From: "Bill Larson" <blarson@compu.net>
To: <isp-linux@isp-linux.com>
Cc: <nanog@merit.edu>
Date: Tue, 18 Sep 2001 14:18:09 -0500
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
#!/usr/bin/perl
# IISBLOCK - Infected IIS server blocking utility.
# by Bill Larson <blarson@compu.net> of Compu-Net Enterprises.
# http://www.compu.net. This header must be kept intact if you
# wish to redistribute the script.
my $check = 0;
my $line = "";
my $weblog = "/etc/www/logs/access_log";
my $infection = "/root/infected";
my $removelist = "/root/fwclean";
# create the removelist file so that you can chmod it later and
# automatically clear the firewall.. chmod 700 iisblock
open (HTFILE3, ">$removelist");
print HTFILE3 "#!/bin/sh\n";
close(HTFILE3);
#open the web server log file specified above and start processing
open (HTFILE, "$weblog");
until (eof (HTFILE))
{
$line =<HTFILE>;
chop ($line);
#Pattern match on IIS Attempts then strip down to the hostname/ip addresss
if ($line =~ /.*\/winnt\/system32\/.*/) {
$line =~ s/\ -.*//gi;
# This host is infected so lets do something about it.
&infected;
}
}
close(HTFILE);
sub infected {
$check = 0;
# begin a check to ensure that we only take action once.
open (HTFILE2, "$infection");
until (eof (HTFILE2)){
$dupe =<HTFILE2>;
chop ($dupe);
if ($line =~ /$dupe/){
$check = 1;
}
else {
}
}
close(HTFILE2);
# If this is a unique host continue
if ($check eq "0") {
# time to add to the list of infected hosts
open (HTFILE2, ">>$infection");
print HTFILE2 "$line\n";
close(HTFILE2);
# add using the specified add command
# firewall software will print an error on invalid hostnames.
# Zap them one at a time maunally
system ("/sbin/ipchains -I input -s $line -j DENY -l");
# write firewall removal line to the remove list file
# modify this line for your specific firewall software
open (HTFILE3, ">>$removelist");
print HTFILE3 "/sbin/ipchains -D input -s $line -j DENY -l\n";
close(HTFILE3);
}
# That's all folks!
}
