[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Apache/mod_ssl Worm (cross-post)
- Subject: Re: [cobalt-security] Apache/mod_ssl Worm (cross-post)
- From: Thomas Mertz <tmertz@xxxxxxxxxxxxx>
- Date: Mon, 16 Sep 2002 09:37:20 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
How about almost the same error message, except RFC2616 instead of RFC2068,
anyone know if that is the same worm or a harmless message?
Tom
----- Original Message -----
From: "Glen Scott" <glen@xxxxxxxxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>; <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Monday, September 16, 2002 8:51 AM
Subject: [cobalt-security] Apache/mod_ssl Worm (cross-post)
> Hi all,
>
> Here is a Perl script that I quickly knocked up which scans your
> Apache error log file for potential scans from machines infected with
> the Apache/mod_ssl Worm.
>
> It will list the number of scans, the IP address, hostname if
> available and the abuse email address for the network. You can then
> decide whether you need to inform the network owner of the worm.
>
> To install it, just upload it to your admin account and make it
> executable with 'chmod +x scriptname.pl'. Run it with
> './scriptname.pl'. You can call it whatever you wish.
>
> It is worth pointing out that the script looks for lines that contain
> the error message 'request without hostname' as a sign that the worm
> has been scanning. The actual message that appears in the log file
> is:
>
> ...client sent HTTP/1.1 request without hostname (see RFC2068 section
> 9, and 14.23): /
>
> The script was tested on a RaQ3.
>
> Feel free to amend/improve the script!
>
> Regards,
>
> Glen Scott
>
> #!/usr/bin/perl -w
>
> ### Apache/mod_ssl Worm log scanner
> ### Glen Scott <glen@xxxxxxxxxxxxxxxxxxxx>
>
> use strict;
> use Socket;
>
> my ( $ip, $name, $abuse_email );
>
> print "Apache/mod_ssl Worm Scanner...\n";
> print "Checking Apache error log file...\n\n";
>
> # get suspect lines from Apache error log
> my @suspects = `egrep 'request without hostname' /var/log/httpd/error`;
>
> # output format
> format OUTPUT_TOP =
> IP Address Host Name Abuse Contact
> --------------------------------------------------------------------------
----------
> .
>
> format OUTPUT =
>
@<<<<<<<<<<<<<<<@<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<@<<<<<<<<<<<<<<<<<
<<<<<<<<
> $ip, $name, $abuse_email
> .
>
> if ( @suspects > 0 ) {
> print "\nReceived " . @suspects . " total scan(s):\n";
>
> my $ofh = select( STDOUT );
> $~ = "OUTPUT";
> $^ = "OUTPUT_TOP";
> foreach my $suspect( @suspects ) {
> # check for an IP address
> if ( $suspect =~ /(\d+\.\d+\.\d+\.\d+)/ ) {
> $ip = $1;
>
> # look up hostname
> if ( $name = gethostbyaddr( inet_aton( $ip ),
> AF_INET ) ) {
> my $command = 'whois ' . $name .
> '@whois.abuse.net';
>
> # lookup abuse email address using abuse.net
> my $output = `$command`;
>
> # grab email address
> if ( $output =~ m/([a-zA-Z0-9_-]+@\S+)/ ) {
> $abuse_email = $1;
> }
> }
> else {
> $name = '-';
> $abuse_email = '-';
> }
>
> write;
> }
> }
>
> select( $ofh );
> }
> else {
> print "No signs of scanning found in log file.\n";
> }
>
> exit( 0 );
>
>
> --
>
> Get your own FREE TaskManager at: http://tasks.dessol.net/
> ---
> Design Solution Limited
> t: +44 (0)1502 513008
> f: +44 (0)870 460 2518
> e: info@xxxxxxxxxxxxxxxxxxxx
> w: http://www.designsolution.co.uk
> Nouvotech House, Harbour Road,
> Oulton Broad, Suffolk, NR32 3LZ, UK
> ---
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>
>