I refined the script that was posted earlier. It now reports CODE RED, NIMDA
and all the other hits on the server on the external interface.
<script>
while : ; do
cat /var/log/httpd/access_log* |grep -v '192.168.1.' | grep -v '127.0.0.1'
>tempfile4
cat tempfile4 |grep 'c+dir' >tempfile
cat tempfile4 |grep 'default.ida' >tempfile3
cat tempfile4 |grep -v 'default.ida' |grep -v 'c+dir' >tempfile2
TIME=`date | cut -f 4 -d " "`
ATTACKS=`wc -l <tempfile | tr -d ' '`
CODEREDS=`wc -l <tempfile3 | tr -d ' '`
EXTERNALS=`wc -l <tempfile4 | tr -d ' '`
EXSERVERS=`cat tempfile4 | cut -f 1 -d " " | sort | uniq | wc -l | tr -d '
'`
SERVERS=`cat tempfile | grep 'c+dir' | cut -f 1 -d " " | sort | uniq |
wc -l | tr -d ' '`
REDSERVERS=`cat tempfile3 | cut -f 1 -d " " | sort | uniq | wc -l | tr -d
' '`
echo "$TIME - $EXTERNALS TOTAL visits from $EXSERVERS different servers"
echo "$TIME - $ATTACKS NIMDA visits from $SERVERS different servers."
echo "$TIME - $CODEREDS CODERED visits from $REDSERVERS different servers"
echo "OTHER HITS:"
cat tempfile2
echo "-------------------------------------------------------------------"
rm -rf tempfile
rm -rf tempfile2
rm -rf tempfile3
rm -rf tempfile4
sleep 600
done
</script>
Roger Wrethman
Internet Project Manager
eScape Web Services
Phone: +27 41 586 3003
Cell : +27 82 735 2628
[EMAIL PROTECTED]
--
Please report bugs to [EMAIL PROTECTED]
Please mail [EMAIL PROTECTED] (only) to discuss security issues
Support for registered customers and partners to [EMAIL PROTECTED]
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
