Slapper detection script

Matt Alexander plug-discuss@lists.plug.phoenix.az.us
Fri, 4 Oct 2002 15:44:20 -0700 (PDT)


---------- Forwarded message ----------
Date: Fri, 4 Oct 2002 15:30:32 -0700
From: Sandy Herring <sandy@herring.org>
Reply-To: plug@lists.pdxlinux.org
To: plug@lists.pdxlinux.org
Subject: Re: [PLUG] Re: [rhn-users] Slapper.C/ OpenSSL (fwd)


And if you want to see what servers are attempting to exploit the
vulnerability on *your* Apache web server (and notify the owner or upstream
provider)...


-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
#! /usr/bin/perl -w
#
# Look for "request without hostname" in Apache error_log
# and print summary report of infected hosts attempting
# to exploit Apache SSL vulnerability
#
# Usage: findSSL.pl /path/to/error/log(s.*)

use strict;

my $identstr = "request without hostname";
my $host;
my $first = "";
my $cnt;
my %probes;
my %lastprobe;
my $timedate;

# parse all files specified on stdin
while (<>) {
    chomp;
    # only report Apache SSL exploits
    next unless /$identstr/;
    ($timedate, $host) = (split(/\[/, $_))[1,3];
    $timedate =~ s/\]//;
    $host =~ s/\].*//;
    $host =~ s/.* //;
    $first = "$host at $timedate" if ($first eq "");
    $probes{$host}++;
    $lastprobe{$host} = $timedate;
}

printf "First probe was from $first\n\n";

foreach $host (sort keys(%probes)) {
    $cnt = $probes{$host};
    $timedate = $lastprobe{$host};
    write;
}

format STDOUT_TOP =
Count  Host name / IP address  Time and date of last probe
-----  ----------------------  ---------------------------
.

format STDOUT =
@>>>>  @<<<<<<<<<<<<<<<<<<<<<  @<<<<<<<<<<<<<<<<<<<<<<<<<
$cnt, $host, $timedate
.
-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


bigfish@kippered bigfish]$ findSSL.pl /var/log/httpd/error_log
First probe was from 213.17.88.105 at Thu Oct  3 04:09:10 2002

Count  Host name / IP address  Time and date of last probe
-----  ----------------------  ---------------------------
    1  200.168.170.235         Thu Oct  3 17:32:56 2002
    1  213.17.88.105           Thu Oct  3 04:09:10 2002


Sandy
-- 
Sandy Herring, RHCE                        o              sandy@herring.org
Peck of Pickled Pisces               __  o               http://herring.org/
UNIX or Web authoring questions?  |\/ o\  o  http://herring.org/finger.html
->http://herring.org/techie.html  |/\__/     http://herring.org/pub-key.asc
*sh, Perl, C, VBA, PICK Assembler, Data/Basic, PROC & profanity spoken here.