[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Apache/mod_ssl Worm (cross-post)

Hi,
thank you for your work Glen. I ran the script on some of my machines, and it found the message "request without hostname" on two of them. But: these log entries are also from July 2002, and because the worm is rather new (I suppose that), I doubt these entries were caused by it. I wonder if there are other, more reliable symptoms which would be caused by the worm?
However, I would expect an unusual high rate of suspicious entries in error-log since yesterday to be sufficient enough to alert admins. 

Best regards -
Sven

Glen Scott wrote:

Hi all,
Here is a Perl script that I quickly knocked up which scans your Apache error log file for potential scans from machines infected with the Apache/mod_ssl Worm.
It will list the number of scans, the IP address, hostname if available and the abuse email address for the network. You can then decide whether you need to inform the network owner of the worm.
To install it, just upload it to your admin account and make it executable with 'chmod +x scriptname.pl'. Run it with './scriptname.pl'. You can call it whatever you wish.
It is worth pointing out that the script looks for lines that contain the error message 'request without hostname' as a sign that the worm has been scanning. The actual message that appears in the log file is:
...client sent HTTP/1.1 request without hostname (see RFC2068 section 9, and 14.23): / 

The script was tested on a RaQ3.

Feel free to amend/improve the script!

Regards,

Glen Scott

#!/usr/bin/perl -w

### Apache/mod_ssl Worm log scanner
### Glen Scott <glen@xxxxxxxxxxxxxxxxxxxx>

use strict;
use Socket;

my ( $ip, $name, $abuse_email );

print "Apache/mod_ssl Worm Scanner...\n";
print "Checking Apache error log file...\n\n";

# get suspect lines from Apache error log
my @suspects = `egrep 'request without hostname' /var/log/httpd/error`;

# output format
format OUTPUT_TOP =
IP Address      Host Name                                 Abuse Contact
------------------------------------------------------------------------------------ 
.

format OUTPUT =
@<<<<<<<<<<<<<<<@<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<@<<<<<<<<<<<<<<<<<<<<<<<<< 
$ip,            $name,                                    $abuse_email
.

if ( @suspects > 0 ) {
    print "\nReceived " . @suspects . " total scan(s):\n";

    my $ofh = select( STDOUT );
    $~ = "OUTPUT";
    $^ = "OUTPUT_TOP";
    foreach my $suspect( @suspects ) {
        # check for an IP address
        if ( $suspect =~ /(\d+\.\d+\.\d+\.\d+)/ ) {
            $ip = $1;

            # look up hostname
            if ( $name = gethostbyaddr( inet_aton( $ip ), AF_INET ) ) {
                my $command = 'whois ' . $name . '@whois.abuse.net';

                # lookup abuse email address using abuse.net
                my $output = `$command`;

                # grab email address
                if ( $output =~ m/([a-zA-Z0-9_-]+@\S+)/ ) {
                    $abuse_email = $1;
                }
            }
            else {
                $name            = '-';
                $abuse_email    = '-';
            }

            write;
        }
    }

    select( $ofh );
}
else {
    print "No signs of scanning found in log file.\n";
}

exit( 0 );