Hi all,
Here is a Perl script that I quickly knocked up which scans your Apache
error log file for potential scans from machines infected with the
Apache/mod_ssl Worm.
It will list the number of scans, the IP address, hostname if available
and the abuse email address for the network. You can then decide
whether you need to inform the network owner of the worm.
To install it, just upload it to your admin account and make it
executable with 'chmod +x scriptname.pl'. Run it with
'./scriptname.pl'. You can call it whatever you wish.
It is worth pointing out that the script looks for lines that contain
the error message 'request without hostname' as a sign that the worm has
been scanning. The actual message that appears in the log file is:
...client sent HTTP/1.1 request without hostname (see RFC2068 section 9,
and 14.23): /
The script was tested on a RaQ3.
Feel free to amend/improve the script!
Regards,
Glen Scott
#!/usr/bin/perl -w
### Apache/mod_ssl Worm log scanner
### Glen Scott <glen@xxxxxxxxxxxxxxxxxxxx>
use strict;
use Socket;
my ( $ip, $name, $abuse_email );
print "Apache/mod_ssl Worm Scanner...\n";
print "Checking Apache error log file...\n\n";
# get suspect lines from Apache error log
my @suspects = `egrep 'request without hostname' /var/log/httpd/error`;
# output format
format OUTPUT_TOP =
IP Address Host Name Abuse Contact
------------------------------------------------------------------------------------
.
format OUTPUT =
@<<<<<<<<<<<<<<<@<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<@<<<<<<<<<<<<<<<<<<<<<<<<<
$ip, $name, $abuse_email
.
if ( @suspects > 0 ) {
print "\nReceived " . @suspects . " total scan(s):\n";
my $ofh = select( STDOUT );
$~ = "OUTPUT";
$^ = "OUTPUT_TOP";
foreach my $suspect( @suspects ) {
# check for an IP address
if ( $suspect =~ /(\d+\.\d+\.\d+\.\d+)/ ) {
$ip = $1;
# look up hostname
if ( $name = gethostbyaddr( inet_aton( $ip ), AF_INET ) ) {
my $command = 'whois ' . $name . '@whois.abuse.net';
# lookup abuse email address using abuse.net
my $output = `$command`;
# grab email address
if ( $output =~ m/([a-zA-Z0-9_-]+@\S+)/ ) {
$abuse_email = $1;
}
}
else {
$name = '-';
$abuse_email = '-';
}
write;
}
}
select( $ofh );
}
else {
print "No signs of scanning found in log file.\n";
}
exit( 0 );