[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Apache/mod_ssl Worm (cross-post)
- Subject: [cobalt-security] Apache/mod_ssl Worm (cross-post)
- From: Glen Scott <glen@xxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 16 Sep 2002 13:51:07 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi all,
Here is a Perl script that I quickly knocked up which scans your
Apache error log file for potential scans from machines infected with
the Apache/mod_ssl Worm.
It will list the number of scans, the IP address, hostname if
available and the abuse email address for the network. You can then
decide whether you need to inform the network owner of the worm.
To install it, just upload it to your admin account and make it
executable with 'chmod +x scriptname.pl'. Run it with
'./scriptname.pl'. You can call it whatever you wish.
It is worth pointing out that the script looks for lines that contain
the error message 'request without hostname' as a sign that the worm
has been scanning. The actual message that appears in the log file
is:
...client sent HTTP/1.1 request without hostname (see RFC2068 section
9, and 14.23): /
The script was tested on a RaQ3.
Feel free to amend/improve the script!
Regards,
Glen Scott
#!/usr/bin/perl -w
### Apache/mod_ssl Worm log scanner
### Glen Scott <glen@xxxxxxxxxxxxxxxxxxxx>
use strict;
use Socket;
my ( $ip, $name, $abuse_email );
print "Apache/mod_ssl Worm Scanner...\n";
print "Checking Apache error log file...\n\n";
# get suspect lines from Apache error log
my @suspects = `egrep 'request without hostname' /var/log/httpd/error`;
# output format
format OUTPUT_TOP =
IP Address Host Name Abuse Contact
------------------------------------------------------------------------------------
.
format OUTPUT =
@<<<<<<<<<<<<<<<@<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<@<<<<<<<<<<<<<<<<<<<<<<<<<
$ip, $name, $abuse_email
.
if ( @suspects > 0 ) {
print "\nReceived " . @suspects . " total scan(s):\n";
my $ofh = select( STDOUT );
$~ = "OUTPUT";
$^ = "OUTPUT_TOP";
foreach my $suspect( @suspects ) {
# check for an IP address
if ( $suspect =~ /(\d+\.\d+\.\d+\.\d+)/ ) {
$ip = $1;
# look up hostname
if ( $name = gethostbyaddr( inet_aton( $ip ),
AF_INET ) ) {
my $command = 'whois ' . $name .
'@whois.abuse.net';
# lookup abuse email address using abuse.net
my $output = `$command`;
# grab email address
if ( $output =~ m/([a-zA-Z0-9_-]+@\S+)/ ) {
$abuse_email = $1;
}
}
else {
$name = '-';
$abuse_email = '-';
}
write;
}
}
select( $ofh );
}
else {
print "No signs of scanning found in log file.\n";
}
exit( 0 );
--
Get your own FREE TaskManager at: http://tasks.dessol.net/
---
Design Solution Limited
t: +44 (0)1502 513008
f: +44 (0)870 460 2518
e: info@xxxxxxxxxxxxxxxxxxxx
w: http://www.designsolution.co.uk
Nouvotech House, Harbour Road,
Oulton Broad, Suffolk, NR32 3LZ, UK
---