The following script was developed by Jose Nazario and Neil Dickey. Using standard Apache format logs, it will search for evidence of machines infected by Code Red or Nimda. Modifying it to look for other signatures of infection is pretty trivial even for the most programming challenged. Thanks, Neil and Jose, for putting this out there. I will add it to the LogAnalysis Web site, under the Log Parsing tools section. But Neil, I'm not going to name it Nimda -- that would be entirely the wrong impression! tbird LogAnalysis: http://kubarb.phsx.ukans.edu/~tbird/log-analysis.html VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com ---------- Forwarded message ---------- Date: Fri, 21 Sep 2001 15:45:23 -0500 (CDT) From: Neil Dickey <neilat_private> To: tbird@precision-guesswork.com Subject: Jose Nazario's script Dear Tina, We've never met, but Jose Nazario told me you'd like to have a copy of my modification of his log-searching script that he posted to BugTraq. I modified it to take some command-line input to change the number of lines searched in the log files, and to search for the two CodeRed types as well. It should be pretty obvious ( I hope! ) how to modify the paths and all to make it work on your machine. Because the paths to the log files are hardcoded, you can put the script in a bin directory and run it from anywhere you happen to be on your system. As the need arises, it should also be easy to modify it to search for the signatures of other worms. I called the script 'nimda', which should explain some of my comments, and I used "\" to avoid potential problems with line wrapping. I hope you like it. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ #!/bin/sh # # Many thanks to jose nazario joseat_private 21sep01, who # provided the part that actually does the work. I did # the "pretty" part. NDJr. 9/21/01 # # Syntax: nimda [ n ] [ nimda | cr1 | cr2 ] # # n = A number between 1 and 999 which represents the number # of thousands of lines to use in the "tail" command # when searching the log file. The default ($DIGIT) is 5. # # Search for: # # nimda = The Nimda worm # cr1 = CodeRedI # cr2 = CodeRedII # # "nimda" is the default ( $KEY and $BANNER ). # # Set some default values. BIN=/usr/bin DIGIT=5 KEY="\.exe" BANNER="NIMDA" # Unsets variables upon exit. cleanup() { BIN= DIGIT= KEY= BANNER= LOGFILE= } $BIN/echo "" # Set logfile and path for different webservers. case `$BIN/hostname` in 'server1') LOGFILE="/path1/log/access_log" ;; 'server2') LOGFILE="/path2/log/access_log" ;; *) $BIN/echo " There are no webserver logfiles on this machine." $BIN/echo "" cleanup exit 1 ;; esac # Parse command line. while [ $# -ne 0 ] do case $1 in [1-9]|[1-9][0-9]|[1-9][0-9][0-9]) DIGIT=$1 shift ;; 'nimda') KEY="\.exe" BANNER="NIMDA" shift ;; 'cr1') KEY="NNNNNNNN" BANNER="CodeRedI" shift ;; 'cr2') KEY="XXXXXXXX" BANNER="CodeRedII" shift ;; *) $BIN/echo " '$1' is not a proper argument." $BIN/echo "" cleanup exit 1 ;; esac done # Do the work. $BIN/echo " These are $BANNER sources, scanned from the \ latest ${DIGIT}000 lines." $BIN/echo "" for i in `$BIN/tail -${DIGIT}000 $LOGFILE | $BIN/grep $KEY | \ $BIN/awk '{print $1}' | $BIN/sort | $BIN/uniq` do TIME=`$BIN/grep $i $LOGFILE | $BIN/tail -1 | \ $BIN/awk '{print $4" "$5}'` $BIN/echo $i" "$TIME done $BIN/echo "" cleanup =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Fri Sep 21 2001 - 14:49:08 PDT