Hi all, I am sure that many of you have done this already but I haven't seen the like posted so here it is. Yeah, too late and too short but I still see probes every 3 minutes across 3 of my sites. It's simple and it gives me the information I was looking for, hope it helps someone else. I am mailing the administrators of the offending sites if I can find one or the upstream if I can't. If we all do this maybe the stragglers will get a clue. What does it do? 1) tracks the information by request method, requested page, and parameters passed ( code ). I figured it would be easy to see if yet another variant pops up this way and it makes it small. 2) tracks the IP's and counts number of hits from each. 3) adds it all up and tells you. Jason. begin - C o d e R e d S t a t s #!/usr/bin/perl -w -T # No Copyright, No warranties, No Worries. # Its not my fault if something goes wrong. # For apache but easily ported. use CGI; $cgi = new CGI; $detail = $cgi->param('detail'); $total = 0; $start = undef; print $cgi->header; print $cgi->start_html(-title=>'CodeRed Log Dump', -author=>'jasonat_private'); open(LOG, "</path/to/your/apache/access-log"); while (<LOG>) { if ( $_ =~ /\.ida/ ) { ( $ip, undef, undef, $date_time, undef, $method, $request, undef, undef ) = split(/ /,$_); $date_time = $date_time . "]"; $start = $date_time unless defined $start; ( $page, $code ) = split(/\?/, $request); %unique->{$method}->{$page}->{$code}++; %hosts->{$ip}++; if ($detail) { print $cgi->br . "\n"; print "from IP:" . $ip . $cgi->br , "\n"; print "request method:" . $method . $cgi->br . "\n"; print "page requested:" . $page . $cgi->br , "\n"; print "code sent:" . $code . $cgi->br , "\n"; print "at:" . $date_time . $cgi->br , "\n"; print "Running Count:" . $unique{$method}->{$page}->{$code} . $cgi->br . "\n"; } $total++; }; } close(LOG); foreach $method_key (keys %unique ) { foreach $page_key (keys %{%unique->{$method_key}} ) { foreach $code_key (keys %{%unique->{$method}->{$page_key}} ) { print "total for method of " . $method_key . " page of " . $page_key . " code of " . $code_key . $cgi->br . "\n"; print "is " . $unique{$method_key}->{$page_key}->{$code_key} . $cgi->br . "\n"; } } } foreach $host_key (keys %hosts) { $unique_hosts++; } print "there have been " . $total . " ida requests since " . $start . " from " . $unique_hosts . " unique hosts\n"; print $cgi->br; print $cgi->br; print $cgi->br; print $cgi->br; foreach $host_key (keys %hosts) { print $host_key . " has attempted " . $hosts{$host_key} . " times" . $cgi->br . "\n"; } print $cgi->end_html; END - C o d e R e d S t a t s ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 07:30:31 PDT