[Gllug] CodeRed EMAIL NOTIFYER script

[Gordon Joly]

Found on focus-linux at lists.securityfocus.com

I have corrected a few typos. Untested!

And I would change

>>>  admin\@$domain...\n";

to at least three more stand email address,
such as "webmaster" and "postmaster"

Regards,

Gordo.

***************



Yes, it's simple, it just trims the domain of each gethostbyaddr()able IP
and sends an information email to admin at domain and info at domain telling
them a very short explanation of what is happening.

I know that depends on which systems, it would be a massive mailing
(think of SPAM) with devastator results... so, use it with care.

It can be optimized a lot... so, read the disclaimer at the top of the
script (-:

bye

PD: I am open to constructive criticisms.

-- 

Xavi Torres <admin at area66.com>
Administración de sistemas
Krypton Networks S.L.
http://www.kryptonetworks.com/
http://www.area66.com/


--8<------------8<------------8<-------------

#!/usr/bin/perl

#
# CodeRed httpd log analyzer and informer script,
# by XTR <admin at area66.com>, <rotten at wanadoo.es>
# Note/disclaimer:
# it's ugly, I did it on 2 minutes with a joint on the other hand
# (-:
#

use Socket;

# lets do some config.
# the httpd access log to look for the attacks.
$f_access="/var/log/httpd/access_log";
# the sendmail binary
$sendmail="/usr/sbin/sendmail";
# From: line at generated emails.
$email_from="admin\@very.worried.bout.security";

open(FACCESS,$f_access);
while(<FACCESS>){
  if(/default\.ida\?/){
   chop;
   @lin=split(/ /,$_);
   $ip=@lin[0];
   $iaddr=inet_aton($ip);
   $hostname=gethostbyaddr($iaddr,AF_INET);
   if($hostname ne ""){
    @ldom=split(/\./,$hostname);
    $np=scalar @ldom;
    $domain=join('.', at ldom[$np-2], at ldom[$np-1]);
    print "Sending warning email to: admin\@$domain...\n";
    open(EMAIL,"|$sendmail -t");
    print EMAIL "From: $email_from\n";
    print EMAIL "To: admin\@$domain\n";
    print EMAIL "Cc: info\@$domain\n";
    print EMAIL "Subject: You have a CodeRed infected server.\n";
    print EMAIL "Hello,\n";
    print EMAIL "This is an automated email with the purpose of 
notifying you\n";
    print EMAIL "that the machine with IP $ip from you network sent us\n";
    print EMAIL "CodeRed attack destinated to our servers.\n";
    print EMAIL "It happened due to a MicroSoft Internet Information Server\n";
    print EMAIL "security fault on that machine ($ip - $hostname).\n";
    print EMAIL "I recommend you to take the appropiated measures and get\n";
    print EMAIL "information at http://www.microsoft.com/ about how to fix\n";
    print EMAIL "the problem.\n";
    print EMAIL "Luck!\n";
    print EMAIL "\n";
    close(EMAIL);
   }
  }
}
close(FACCESS);

--8<------------8<------------8<-------------
-- 
Gordon Joly//////////
gordon.joly at pobox.com
http://pobox.com/~or/

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug