This code will scan your apache access_log files on a unix server for iis exploit urls and if it sees x amount of iis exploit urls set a DENY chain in ipchains for that user on port 80. This code is also able to scan ALL access_logs as a cron job every say 10 min it also stores a history so that it doesnt ban the same person twice (altho if it where to happen ipchains would just kick it out).
code: Can't Copy and Paste this? Click here for a copy-and-paste friendly version of this code!
Terms of Agreement:
By using this code, you agree to the following terms...
You may use
this code in your own programs (and may compile it into a program and distribute it in compiled format for languages that allow it) freely and with no charge.
You MAY NOT redistribute this code (for example to a web site) without written permission from the original author. Failure to do so is a violation of copyright laws.
You may link to this code from another website, but ONLY if it is not wrapped in a frame.
You will abide by any additional copyright restrictions which the author may have placed in the code or code's description.
=**************************************
= Name: fw_scan
= Description:This code will scan your apache access_log files on a unix server for iis exploit urls and if it sees x amount of iis exploit urls set a DENY chain in ipchains for that user on port 80. This code is also able to scan ALL access_logs as a cron job every say 10 min it also stores a history so that it doesnt ban the same person twice (altho if it where to happen ipchains would just kick it out).
= By: TJ Meadows
=
= Assumes:You must be using a unix based server with ipchains 2.0 or > and perl 5 or >. This has been written/tested on Red Hat 7.2 Server Installation.
=
= Side Effects:None that ive seen.
=
=This code is copyrighted and has= limited warranties.Please see http://www.Planet-Source-Code.com/vb/scripts/ShowCode.asp?txtCodeId=314&lngWId=6=for details.=**************************************
use strict;
use warnings;
use Socket;
#--------- Variables you may need to configure are here ---------
# $path2log is the directory path to your apache logs
my $path2Log = "/var/log/httpd/";
# $path2save is where you want to store the ban list
# the ban list is stored as follows <ip address/hostname> <number of explit atempts>
my $path2save = "/home/tj/fw_data/fw_banned";
# $path2ipchains is the full path name to the ipchains executable
my $path2ipchains = "/sbin/";
# $trys is the number of explit atempts before the user is banned
my $trys = 5;
#--------- DO NOT EDIT PAST HERE UNLESS YOU KNOW WHAT YOUR DOING ---------
opendir(DIR, $path2Log) or die("Unable to open $path2Log: $!");
my @hackArray;
my @ipArray;
my $c = 0;
my $me = "none";
my $iaddr;
my $peer_addr;
foreach(readdir(DIR))
{
my $file = $_;
if ($file && /[A-Za-z]/) {
if ($file =~ /access_log/) {
open(LOG, $path2Log . $file) or die("Cannot open $file");
while(my $line = <LOG>)
{
my @logArray = split("] " . chr(34) . "GET ", $line);
my $arrayCount = scalar @logArray;
if ($logArray[0]) {
$logArray[0] =~ s/\[//;
@ipArray = split(" ", $logArray[0]);
}
if ($logArray[1]) {
my @urlArray = split("HTTP/1.", $logArray[1]);
if ($urlArray[0]) {
if (index($urlArray[0], ".exe", 0) > 0) {
$hackArray[$c] = $ipArray[0];
$c++;
}
}
}
}
close(LOG) or die("Cannot close $file\n");
}
}
}
@hackArray = sort (@hackArray);
my $old = "empty";
my $z = 1;
foreach (@hackArray) {
if ($old eq $_) {
$z++;
next;
}
$old = $_;
if ($z >= $trys) {
open(banIn, $path2save) or die("Cannot open $path2Log\n");
while (my $line = <banIn>) {
my @checkArray = split(" ", $line);
if ($_ eq $checkArray[0]){
$me = "tj";
}
}
if ($me eq "tj") {
$me = "none";
} else {
open(banOut, ">>$path2save") or die("Cannot open $path2save: $!\n");
print(banOut "$_ $z\n");
close(banOut) or die("Cannot close $path2save: $!\n");
$iaddr = gethostbyname($_);
if ($iaddr) {$peer_addr = inet_ntoa($iaddr)};
my $shell = $path2ipchains . 'ipchains -A input -p tcp -s ' . $peer_addr . ' -d 0/0 80 -j DENY';
system $shell;
}
close(banIn) or die("Cannot close $path2save: $!\n");
}
$z = 1;
}
Excellent. One suggestion though. You may want to consider banning IP's only for a limited time, e.g. a couple of hours, so that users of ISPs that provide a common pool of IP addresses don't all get penalised because of the activities of just one rogue. I get a lot of hack traffic from AOL users, but it wouldn't be in my company's interest to ban them all... errr... perhaps 8-)
Thanks for the posting. Much appreciated. (If this comment was disrespectful, please report it.)
Hrm true good idea ill look into it i have found one bug currently anyone trasfering any exe in anyway on your apache server is flagged as a hacker this will be fixed in version 1.0 this was just my beta test run :P (If this comment was disrespectful, please report it.)
7 (If this comment was disrespectful, please report it.)
Add Your Feedback
Your feedback will be posted below and an email sent to
the author. Please remember that the author was kind enough to
share this with you, so any criticisms must be stated politely, or they
will be deleted. (For feedback not related to this particular code, please
click here instead.)
4/22/2002 4:22:05 AM: 
