Slapper detection script

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
 
 
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Matt Alexander
Date:  
Subject: Slapper detection script
---------- Forwarded message ----------
Date: Fri, 4 Oct 2002 15:30:32 -0700
From: Sandy Herring <>
Reply-To:
To:
Subject: Re: [PLUG] Re: [rhn-users] Slapper.C/ OpenSSL (fwd)


And if you want to see what servers are attempting to exploit the
vulnerability on *your* Apache web server (and notify the owner or upstream
provider)...


-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
#! /usr/bin/perl -w
#
# Look for "request without hostname" in Apache error_log
# and print summary report of infected hosts attempting
# to exploit Apache SSL vulnerability
#
# Usage: findSSL.pl /path/to/error/log(s.*)

use strict;

my $identstr = "request without hostname";
my $host;
my $first = "";
my $cnt;
my %probes;
my %lastprobe;
my $timedate; 

# parse all files specified on stdin
while (<>) {
    chomp;
    # only report Apache SSL exploits
    next unless /$identstr/;
    ($timedate, $host) = (split(/\[/, $_))[1,3];
    $timedate =~ s/\]//;
    $host =~ s/\].*//;
    $host =~ s/.* //;
    $first = "$host at $timedate" if ($first eq "");
    $probes{$host}++;
    $lastprobe{$host} = $timedate;
}


printf "First probe was from $first\n\n"; 

foreach $host (sort keys(%probes)) {
    $cnt = $probes{$host};
    $timedate = $lastprobe{$host};
    write;
}


format STDOUT_TOP =
Count Host name / IP address Time and date of last probe
----- ---------------------- ---------------------------
.

format STDOUT =
@>>>> @<<<<<<<<<<<<<<<<<<<<< @<<<<<<<<<<<<<<<<<<<<<<<<<
$cnt, $host, $timedate
.
-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


bigfish@kippered bigfish]$ findSSL.pl /var/log/httpd/error_log
First probe was from 213.17.88.105 at Thu Oct 3 04:09:10 2002 

Count  Host name / IP address  Time and date of last probe
-----  ----------------------  ---------------------------
    1  200.168.170.235         Thu Oct  3 17:32:56 2002
    1  213.17.88.105           Thu Oct  3 04:09:10 2002



Sandy
-- 
Sandy Herring, RHCE                        o              
Peck of Pickled Pisces               __  o               http://herring.org/
UNIX or Web authoring questions?  |\/ o\  o  http://herring.org/finger.html
->http://herring.org/techie.html  |/\__/     http://herring.org/pub-key.asc
*sh, Perl, C, VBA, PICK Assembler, Data/Basic, PROC & profanity spoken here.



This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-GNUWin IIsaving->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)