[cobalt-security] Log info Question and Script for Code Red Logging

["Franklin S. Werren" <fswerren@xxxxxxxxxxxx>]

Hi All;

With this Code Red trying to trash the net I am running a small
cgi script that gives me an output to my browser.

On my Qube 2 I get the overall log of attacks which is what I want...
on the Qube 3, Raq3's and Raq 4's I only get the daily log
of attacks... which is ok... I can have a second copy of the
script for overall attacks...

But my question is which or where is the logs for
the Qube 3, Raq 3 and Raq 4 that I can use ?...

And on my Qube 2 where is the daily log?...


I did include my script for useage by others...
(This is for my Qube 2) just set the attribs to 755
Call it  red.cgi or codered.cgi... It works for me!


#!/usr/bin/perl
#
print "Content-type: text/html\n\n";
print "<HTML>\n";
print "<TITLE>Code Red Results</TITLE>\n";
print "<HEAD>\n";
print "</HEAD>\n";
print "<body>\n";
print qq¦<font face="verdana" size="3">\n¦;
print "<pre>\n";
print "\nAnalysing WebServer Logs ...\n\n";
print "<br><p>\n";

# Change this line to path to the right log file

$hits = `cat  /home/log/httpd/home-access | grep "default.ida\?NNNN"`;
#

@hits = split(/\n/,$hits);
foreach $hit (@hits) {
($ip) = $hit =~ /(\d+\.\d+\.\d+\.\d+)/;
($time) = $hit =~ /\[([^\]]*)\]/;
print "Time of Attack $time          IP Address of Attacker $ip\n"; };
print "<br>\n";
print "\nFound ",($#hits+1)," probes from 'Code Red' worms !!\n\n";
print "</pre>\n";
print "</body>\n";
print "</html>\n";



Franklin S. Werren, webmaster@xxxxxxxxxxxx   www.bagpipes.net
Modem Madness Ringmaster at www.madbbs.com/webring/
ICQ 8556386 or fswerren46 on AOL's IM or fswerren46 for MSN Messenger

Frank's Radio, P.O. Box 990, Sherman NY 14781-0990
www.franksradio.net
For the best ISP in Chautauqua County NY and North West Pa
go to www.madbbs.com    They treat you right.