My IIS logs list hundreds of malicious probes by Code red and Nimda viruses, polluting my logs and consuming my bandwidth. This program is a result of slowly growing frustration with these people attacking my little web site. Here's what it does: ---1. Scans yesterday's IIS log file and parses it for unique IP addresses the attacks come from. ----2. Resolves IP addresses to DNS names. ---3. Queries appropriate WHOIS server according to the domain, or IP WHOIS servers if the IP was not resolved. ---4. Parses the WHOIS server reply and extracts abuse@ e-mail account for each ISP the addresses belongs to (using regex). ---5. Sends e-mail (using Sockets, no CDO required) with the information you see below to each identified ISP. E-mail is in the format required by most ISPs (at least the ones I checked. ---6. If specified in .ini file, creates a log in the app directory with the same name as IIS log file. ********************* All you have to do is edit the included .ini file, and then schedule this app to run every day. I've been running it for a month, and I feel a little better now that I'm doing something about it. You can change this code in any way you like to suit your needs, with a little tweaking this can make analyzing IIS logs (or any other logs) a lot easier. Or you can keep a "mean list" and redirect those on that list to an error page, like I did at http://12.211.166.230/Z3/IISLogs.aspx. Possibilities are only limited by imagination.
Note: Due to the size or complexity of this submission, the author has submitted it as a .zip file to shorten your download time. Afterdownloading it, you will need a program like Winzip to decompress it.Virus note:All files are scanned once-a-day by Planet Source Code for viruses, but new viruses come
out every day, so no prevention program can catch 100% of them. For your own safety, please:
Re-scan downloaded files using your personal virus checker before using it.
NEVER, EVER run compiled files (.exe's, .ocx's, .dll's etc.)--only run source code.
If you don't have a virus scanner, you can get one at many places on the net
including:McAfee.com
Terms of Agreement:
By using this code, you agree to the following terms...
You may use
this code in your own programs (and may compile it into a program and distribute it in compiled format for languages that allow it) freely and with no charge.
You MAY NOT redistribute this code (for example to a web site) without written permission from the original author. Failure to do so is a violation of copyright laws.
You may link to this code from another website, but ONLY if it is not wrapped in a frame.
You will abide by any additional copyright restrictions which the author may have placed in the code or code's description.
I have no use for this but I can see that a lot of work went into this and is very useful. Good work. (If this comment was disrespectful, please report it.)
Maybe doing something similar for attack logs on local systems. Constant hack attempts from certain IP addresses etc. (If this comment was disrespectful, please report it.)
Hmmmm maybe set it up to work off my firewall logs. (If this comment was disrespectful, please report it.)
4/14/2003 5:07:55 AM:
I'd like to run this on the network i'm administrating. We have some large IIS servers running. What I'd like to know is, does this application also (If this comment was disrespectful, please report it.)
4/14/2003 5:10:19 AM:
clean the original log? since this would make the log more readable when troubleshooting for instance (If this comment was disrespectful, please report it.)
The app doesn't change the original log in any way. You mean cleaning all the attacks from the log? It can easily be added to the functionality. (If this comment was disrespectful, please report it.)
4/23/2003 5:01:44 PM:
April 23, 2003 - Zip file is corrupt? Have downloaded it several times...no luck with any of them.
(If this comment was disrespectful, please report it.)
I had a similar thing happen on the server I administer. These attacks can happen because the person has a virus and doesn't know it. If you look at these logs the attacks span only about 1 or 2 minute(s). But I like your idea. (If this comment was disrespectful, please report it.)
This would have been nice when i still had my IIS server. I switch to debian with apache about a year ago.. never had problems again :) (If this comment was disrespectful, please report it.)
Add Your Feedback
Your feedback will be posted below and an email sent to
the author. Please remember that the author was kind enough to
share this with you, so any criticisms must be stated politely, or they
will be deleted. (For feedback not related to this particular code, please
click here instead.)
Download code
2/5/2003 4:49:57 AM: 
