Re: Apache Log Files
On Sun, 18 Aug 2002, Blars Blarson wrote: > In article <[EMAIL PROTECTED]> [EMAIL PROTECTED] writes: [snip] > >You might want to have a look at this: > > > > http://www.blars.org/hinfo.html > > [snip] > >It doesn't seem to be packaged for Debian, which is a pitty. > > Should I consider this a request? Please do! I, for one, find it _very_ useful. > I'm not a debian developer, but packaging this would probably be a > good first one starting as a new maintainer, since I'm the upstream. Good thinking (-; Cheers, Cristian
Re: Apache Log Files
On Sun, Aug 18, 2002 at 11:52:02AM +0200, Cristian Ionescu-Idbohrn wrote: > Matthew, > > On Wed, 14 Aug 2002, Matthew Sackman wrote: > > [snip] > > > Does anyone know of a simple program that will return info on whois IP > > lookup in a set format? > > You might want to have a look at this: > > http://www.blars.org/hinfo.html Thank you to all who have replied. I have problems at the moment due to a failed hard disc in my gateway, and my backup tape drive currently being in another machine which I won't get back for a week plus I'm about to go on holiday. Bad timing huh! Any way, thanks to all who have suggested ways forward. :) Matthew -- Matthew Sackman
Re: Apache Log Files
In article <[EMAIL PROTECTED]> [EMAIL PROTECTED] writes: >On Wed, 14 Aug 2002, Matthew Sackman wrote: >> Does anyone know of a simple program that will return info on whois IP >> lookup in a set format? >You might want to have a look at this: > > http://www.blars.org/hinfo.html > >It returns some interesting info in this format: > >, >| Processing zesa.co.zw (196.2.69.9) >| abuse.net addresses: >| [EMAIL PROTECTED] (default, no info) >| 196.2.69.9 is zesa.co.zw >| 196.2.69.9 is in ORDB open relays as 127.0.0.2 >| 196.2.69.9 is in osirusoft relays as 127.0.0.2 >| Verified open relay >| 196.2.69.9 is in njabl as 127.0.0.2 >| spam source or open relay >| 196.2.69.9 is in rfc-ignorant ipwhois as 127.0.0.6 >` > >It doesn't seem to be packaged for Debian, which is a pitty. Should I consider this a request? I'm not a debian developer, but packaging this would probably be a good first one starting as a new maintainer, since I'm the upstream. I've done some rewriting since the last time I've released, it's more efficient on most non-us queries, as well as knowing about lacnic and having some restructuring on the configuration. It still needs a man page, and some more work on the config setup. (I just thought of a few ideas on that while I was writing this.) While hinfo does do whois queries (that part of the code started out as a copy of the geektools whois server, but it has diverged significantly), the results are not easy for a computer to parse since the various whois servers aren't consistent. The abuse.net and DNSBL sections of the code are consistent, but it might be better to use them as examples of how to do it rather than calling hinfo from a program. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html "Text is a way we cheat time." -- Patrick Nielsen Hayden
Re: Apache Log Files
Matthew, On Wed, 14 Aug 2002, Matthew Sackman wrote: [snip] > Does anyone know of a simple program that will return info on whois IP > lookup in a set format? You might want to have a look at this: http://www.blars.org/hinfo.html It returns some interesting info in this format: , | Processing zesa.co.zw (196.2.69.9) | abuse.net addresses: | [EMAIL PROTECTED] (default, no info) | 196.2.69.9 is zesa.co.zw | 196.2.69.9 is in ORDB open relays as 127.0.0.2 | 196.2.69.9 is in osirusoft relays as 127.0.0.2 | Verified open relay | 196.2.69.9 is in njabl as 127.0.0.2 | spam source or open relay | 196.2.69.9 is in rfc-ignorant ipwhois as 127.0.0.6 ` It doesn't seem to be packaged for Debian, which is a pitty. hth, Cristian
Re: Apache Log Files
dont bother, ive been through this, I found i wasted ny time, 25% of the admin addresses in the /whois bounce, trying to talk to asia whois database about inaccurate admin contacts for the domains gets me no reply. While my main problem is korea, yours will be more "local" and while i suppose many admins in korea wont read english I suspect many wont even look, care or be able to fix the problem(s) regards Thing Matthew Sackman wrote: > Hi All, > > In apache log files I'm seeing a lot of bogus attacks. Using various > software I can easily sort out which are Nimda, which are Code Red 1, > Code Red 2 etc etc, and extract the IPs. That's all fine. > > What I then want to do is to do a whois on the IP, extract the name of > the person who ownes the IP and their email address and send them a > suitable email. > > I've cobbled together various scripts and they kinda work, but the > problem is that the whois record for IPs can be in about a dozen > different formats, some of which are *very* unhelpful. > > Does anyone know of a simple program that will return info on whois IP > lookup in a set format? > > Thanks, > > Matthew > > -- > > Matthew Sackman > Nottingham > England > > BOFH Excuse Board: > Someone was smoking in the computer room and set off the halon systems. > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Apache Log Files
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Content-Type: text/plain; charset=us-ascii In message <[EMAIL PROTECTED]>, TOK writes: >i've tried parsing the output of allwhois.com, a few regexps matching >emails should work most times. The abuse.net mail forwarder is also pretty useful for this kind of thing. http://www.abuse.net/howwork.html - -- Ted Cabeen http://www.pobox.com/~secabeen[EMAIL PROTECTED] Check Website or Keyserver for PGP/GPG Key BA0349D2 [EMAIL PROTECTED] "I have taken all knowledge to be my province." -F. Bacon [EMAIL PROTECTED] "Human kind cannot bear very much reality."-T.S.Eliot[EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (OpenBSD) Comment: Exmh version 2.5 07/13/2001 iD8DBQE9WveioayJfLoDSdIRAh0tAJ4nO2WNAjpQvehef/3Q61huuxv8WQCgu/NS HgLA4cP3fnnTkcRkUa2n9DI= =XKjs -END PGP SIGNATURE-
Re: Apache Log Files
Hi Matthew, i've tried parsing the output of allwhois.com, a few regexps matching emails should work most times. i was more interested in creating statistics (most used attack of the week...) but gave up because of the hassle of manually updating the attack signatures. whats software do you use to determine the (name of the) attack? is there an online database where the URLs, names and further info is not contained within large quantities of text? thanks, tok
Re: Apache Log Files
On Wed, 14 Aug 2002 at 10:31:51PM +0100, Matthew Sackman wrote: > Does anyone know of a simple program that will return info on whois IP > lookup in a set format? Perl and regex's work wonderful :) Side note: Korea's whois info is pretty much useless. Their whole country has like...one giant ISP who really doesn't care much about US Hacking laws... oh well... -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/ | gpg --import
Apache Log Files
Hi All, In apache log files I'm seeing a lot of bogus attacks. Using various software I can easily sort out which are Nimda, which are Code Red 1, Code Red 2 etc etc, and extract the IPs. That's all fine. What I then want to do is to do a whois on the IP, extract the name of the person who ownes the IP and their email address and send them a suitable email. I've cobbled together various scripts and they kinda work, but the problem is that the whois record for IPs can be in about a dozen different formats, some of which are *very* unhelpful. Does anyone know of a simple program that will return info on whois IP lookup in a set format? Thanks, Matthew -- Matthew Sackman Nottingham England BOFH Excuse Board: Someone was smoking in the computer room and set off the halon systems.