after reading that "apparently" the latest code red attacks are coming from unsuspecting users of that utimate computer virus, i decided to scan the access log file and send messages to the "best guess" person at the owner of the ip address (usually a dial-up provider).
i modified the script by "Karsten M. Self" <kmself@ix.netcom.com> and then input the output to a perl script to send to the appropriate person. first, the modified command from karsten: #!/bin/sh # code.red.sh for i in $(grep 'default\.ida' $1 | awk '{print $1}') do a=\(.*\)$i\(.*\)default\.ida a=`grep -E $a $1 | sed -e 's/\(.*\)?.[NX].*/\1/' | awk '{print $1, $4, $5, $6, $7}'` b=`dig -x $i a | grep 'IN SOA' | awk '{print $6}'` echo $b $a done this created a line like dns.deltacom.net. 209.192.99.162 [02/Aug/2001:18:23:22 -0700] "GET /default.ida given that the dns records aren't consistent from site to site, the contact name may require more search with "dig -x ip a", dig -x ip soa", dig -x ip", and whois. (out of the 79 code red hits i have gotten this month, 10 had no soa records of any kind, which strikes me as odd!). after manually checking the records (whilst changing the leading period to a '@' and removing the trailing period in the contact name (i.e., dns.deltacom.net. -> [EMAIL PROTECTED]) i then ran the following program which uses the above information: #!/usr/bin/perl #codred.pl use IO::File ; use POSIX qw( tmpnam ) ; $targetFile = virushosts.sorted ; open( INPUT , "<$targetFile" ) or die "Unable to open $targetFile for reading: $! \n" ; $subject = "Code Red Virus Abuse" ; $text = "Subject: $subject\n\nThe following record snippet was detected in our web server logs. It would\nappear that one of your dial-up users has been infected with the code red virus\nand has not taken the appropriate actions to eliminate the problem. Please take\nthe appropriate action to notify alert the user to this breach of acceptible\nbehavior in the internet community.\n\n" ; $salutation="\n\n--\nRegards\n<your name>" ; $program= "send" ; $from="<abuse email>\@<your domain>" ; $bcc="<your email>\@<your domain>" ; while (<INPUT>) { chomp ; @a=split ' ' ; $log="" ; $recipient=$a[0] ; for ($i=1;$i<=$#a;$i++) { $log=$log.$a[$i]." "; } $message="To: $recipient\nCc: $from\nBcc: $bcc\n".$text.$log.$salutation ; do { $name = tmpnam() } until $fh = IO::File->new( $name , O_RDWR | O_CREAT | O_EXCL ) ; END { unlink( $name ) or die "Unable to unlink $name: $!\n" ; } print $fh $message ; $fh->close ; $command= $program." ".$name ; print "Send to $recipient\n" ; system( $command ) ; unlink $tmpfile ; } close( INPUT ) ; exit ; you will need to change the lines with <your email>, <abuse email>, and <your domain> as appropriate. this will send out an email to the contact of the ip owner, cc'ing your abuse email contact, and bcc'ing a copy to the user in the bcc field. NOTE: the from field will contain the email address of the user running the program, not the abuse email address (unless they happen to be the same.) sequence of commands: cd /usr/local/apache/logs ./code.red.sh access_log > virushosts sort -o virushosts.sorted virushosts vi virushosts.sorted #making changes noted above under code.red.sh ./codered.pl -- regards, allen wayne best, esq "your friendly neighborhood rambler owner" "my rambler will go from 0 to 105" Current date: 0:36:12::216:2001 "Is this foreplay?" "No, this is Nuke Strike. Foreplay has lousy graphics. Beat me again." -- Duckert, in "Bad Rubber," Albedo #0 (comics)