Re: [leaf-user] Identifying the "scanning" culprit???
On Wednesday 21 August 2002 08:33, David Douthitt wrote: > Why not just use jwhois (or other whois client)? Personally, since I have several full-blown *NIX distro's available here, I simply use the "whois" command. This queries your ISP's nameserver(s), which works for me since I already know what is on my LAN. I'll definately have to checkout "jwhois", thanks again David! ;-) -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Identifying the "scanning" culprit???
Hi David, --- David Douthitt <[EMAIL PROTECTED]> wrote: > On Tue, Aug 20, 2002 at 09:40:57AM -0700, Cass Tolken wrote: > > > Arin is for American IPs, you can further modify my script modifications to > > include European, Asian, etc. IPs as an exercise ;) > > Why not just use jwhois (or other whois client)? [snip] I'd have to have known that it existed for me to use it ;). Thanks for the info! __ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Identifying the "scanning" culprit???
On Tue, Aug 20, 2002 at 09:40:57AM -0700, Cass Tolken wrote: > Arin is for American IPs, you can further modify my script modifications to > include European, Asian, etc. IPs as an exercise ;) Why not just use jwhois (or other whois client)? Jwhois is a GNU project and automatically knows which NIC to use. I might add that not only is (for example) there different NICs for *.de, *.kr, and *.com - but also for looking up IP addresses... Jwhois automatically knows about all the different NICs and uses the right one. If you look in my development directory on LEAF's SF page, there is a jwhois.lrp - and I think it needs a library (libm perhaps) which should also be there. http://leaf.sf.net/devel/ddouthitt/packages/jwhois.lrp http://leaf.sf.net/devel/ddouthitt/packages/libm.lrp It may be compiled against glibc 2.1, so if you are using glibc 2.0 (Dachstein?) and it core dumps or something, that's why. --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Identifying the "scanning" culprit???
Hi Joey There's nothing wrong with what Cass is telling you, but I get the impression a simpler approach might also be suitable. There already exist online tools to do just what you are trying to do. I generally use the following site, but there are others (try Googling for "ipwhois") http://www.dnsstuff.com/ It's just a single webpage with a lot of handy DNS-related lookup tools on it. The IPWHOIS one is the one you want - enter the IP address you're interested in the box and click the button. cheers Julian -- [EMAIL PROTECTED] www.ljchurch.co.uk --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Identifying the "scanning" culprit???
I have similar scripts written for the Dachstein or Eiger dists. Take a look at http://vette66.com Chuck - Original Message - From: "Cass Tolken" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; "LEAF" <[EMAIL PROTECTED]> Sent: Tuesday, August 20, 2002 1:02 PM Subject: RE: [leaf-user] Identifying the "scanning" culprit??? > Hi Joey, > > Ah! You left off the "not" in your original post (BIG difference ;). > Ya, if you followed the thread, it was for weblet in the Bering distro. > I don't know what's different in the Dachstein version, perhaps someone > else on the list can incorporate similar modifications and post. > > --- Joey Officer <[EMAIL PROTECTED]> wrote: > > I looked in cgi-bin/* but did not find a viewhits, under dachstein the file > > (equivalent I assume) is viewlogs. Again I'm not familiar w/ the html and > > all of this, but I'd like to do this to atleast let the offending machines > > be aware of my dissatisfaction... > > > > Joey > > > > > > -Original Message- > > From: Cass Tolken [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, August 20, 2002 11:41 AM > > To: [EMAIL PROTECTED]; LEAF > > Subject: RE: [leaf-user] Identifying the "scanning" culprit??? > > > > Hi Joey, > > > > I mentioned below in my example that the modification is in > > /var/sh-www/cgi-bin/viewhits specifically under the "hitssort" clause of > > the "case" construct. I also mentioned I do this in the "messages" and "x" > > too... but I figured it was easier to just post the whole scipts (I sent the > > URL in a previous e-mail) > > > > Arin is for American IPs, you can further modify my script modifications to > > include European, Asian, etc. IPs as an exercise ;) > > > > http://www.ripe.net/perl/whois/ > > http://www.apnic.net/apnic-bin/whois2.pl > > etc. > > > > --- Joey Officer <[EMAIL PROTECTED]> wrote: > > > Judging from what it sounds I could click on the link and automagically do > > a > > > search on that hit. I like it. But I'm very familiar with writing any > > kind > > > of html lines. Are the lines you posted below ready for input into a > > > Dachstein weblet config. And specifically which files would I modify... > > > > > > Sorry for being ignorant on the matter... > > > > > > Joey > [snip] > > > __ > Do You Yahoo!? > HotJobs - Search Thousands of New Jobs > http://www.hotjobs.com > > > --- > This sf.net email is sponsored by: OSDN - Tired of that same old > cell phone? Get a new here for FREE! > https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 > > leaf-user mailing list: [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Identifying the "scanning" culprit???
Hi Craig, --- Craig <[EMAIL PROTECTED]> wrote: > Hi folks, > I've copied the files that Cass referred to earlier to my > /var/sh-www/cgi-bin directory, and I've issued the following > commands...but my weblet just shows blank screens when I try to view the > logs-Hmmm, I wonder what I'm doing wrong. After copying the files I- There are a couple of things I can think of. How did you save the files? Was there a Windows editor involved anywhere in this process? I ask because Windows and *nix have different ideas about end of line characters and this has caused scripts NOT to work for me in the past. Can you check the following file sizes to see if you downloaded them correctly? # cd /var/sh-www/cgi-bin # ls -l viewhits viewmasq -rwxr-xr-x1 sh-httpd adm 2807 Aug 9 09:12 viewhits -rwxr-xr-x1 sh-httpd adm 1842 Jul 26 06:38 viewmasq If the file sizes DO NOT match, you should download them again from my URL but this time RIGHT-CLICK the link from your browser and do a "save target as." Hopefully this is what's causing your problem. The only other thing I can think of is the ownership: # chown sh-httpd:adm viewhits viewmasq If it's not either of these things then I don't know what else it could be. Have you checked /var/log/syslog? [snip] > Saved, backed up...and I just get blank weblet screens (but no apparent > error messages) when I view weblet through my browser. Any suggestions? > Thank you. If all else fails you can alway restore the original weblet.lrp package from the original Bering floppy. __ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Identifying the "scanning" culprit???
Hi Joey, Ah! You left off the "not" in your original post (BIG difference ;). Ya, if you followed the thread, it was for weblet in the Bering distro. I don't know what's different in the Dachstein version, perhaps someone else on the list can incorporate similar modifications and post. --- Joey Officer <[EMAIL PROTECTED]> wrote: > I looked in cgi-bin/* but did not find a viewhits, under dachstein the file > (equivalent I assume) is viewlogs. Again I'm not familiar w/ the html and > all of this, but I'd like to do this to atleast let the offending machines > be aware of my dissatisfaction... > > Joey > > > -Original Message- > From: Cass Tolken [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, August 20, 2002 11:41 AM > To: [EMAIL PROTECTED]; LEAF > Subject: RE: [leaf-user] Identifying the "scanning" culprit??? > > Hi Joey, > > I mentioned below in my example that the modification is in > /var/sh-www/cgi-bin/viewhits specifically under the "hitssort" clause of > the "case" construct. I also mentioned I do this in the "messages" and "x" > too... but I figured it was easier to just post the whole scipts (I sent the > URL in a previous e-mail) > > Arin is for American IPs, you can further modify my script modifications to > include European, Asian, etc. IPs as an exercise ;) > > http://www.ripe.net/perl/whois/ > http://www.apnic.net/apnic-bin/whois2.pl > etc. > > --- Joey Officer <[EMAIL PROTECTED]> wrote: > > Judging from what it sounds I could click on the link and automagically do > a > > search on that hit. I like it. But I'm very familiar with writing any > kind > > of html lines. Are the lines you posted below ready for input into a > > Dachstein weblet config. And specifically which files would I modify... > > > > Sorry for being ignorant on the matter... > > > > Joey [snip] __ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Identifying the "scanning" culprit???
I looked in cgi-bin/* but did not find a viewhits, under dachstein the file
(equivalent I assume) is viewlogs. Again I'm not familiar w/ the html and
all of this, but I'd like to do this to atleast let the offending machines
be aware of my dissatisfaction...
Joey
-Original Message-
From: Cass Tolken [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 20, 2002 11:41 AM
To: [EMAIL PROTECTED]; LEAF
Subject: RE: [leaf-user] Identifying the "scanning" culprit???
Hi Joey,
I mentioned below in my example that the modification is in
/var/sh-www/cgi-bin/viewhits specifically under the "hitssort" clause of
the "case" construct. I also mentioned I do this in the "messages" and "x"
too... but I figured it was easier to just post the whole scipts (I sent the
URL in a previous e-mail)
Arin is for American IPs, you can further modify my script modifications to
include European, Asian, etc. IPs as an exercise ;)
http://www.ripe.net/perl/whois/
http://www.apnic.net/apnic-bin/whois2.pl
etc.
--- Joey Officer <[EMAIL PROTECTED]> wrote:
> Judging from what it sounds I could click on the link and automagically do
a
> search on that hit. I like it. But I'm very familiar with writing any
kind
> of html lines. Are the lines you posted below ready for input into a
> Dachstein weblet config. And specifically which files would I modify...
>
> Sorry for being ignorant on the matter...
>
> Joey
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Cass Tolken
> Sent: Tuesday, August 20, 2002 9:40 AM
> To: Craig; LEAF
> Subject: Re: [leaf-user] Identifying the "scanning" culprit???
>
> Hello again Craig,
>
> If you're using weblet (Bering comes with it default) you can so something
> like this:
>
> in /var/sh-www/cgi-bin/viewhits, hitssort)
>
> sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\<\/td\>\\ href=\"http:\/\/ws.arin.net\/cgi-bin\/whois.pl?queryinput=\3\"\>A
> rin\<\/a\> - \ href=\"viewhits?x_\3\"\>\3\<\/a\><\/td\>\\1\<\/td\>\<\/tr\>/'|\
>
> so that I can just click to query arin. I also do this in "messages" and
> "x"
> in the viewhits script. You should be able to figure out how from this
> example (hopefully ;).
[snip]
__
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com
---
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone? Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Identifying the "scanning" culprit???
Judging from what it sounds I could click on the link and automagically do a
search on that hit. I like it. But I'm very familiar with writing any kind
of html lines. Are the lines you posted below ready for input into a
Dachstein weblet config. And specifically which files would I modify...
Sorry for being ignorant on the matter...
Joey
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Cass Tolken
Sent: Tuesday, August 20, 2002 9:40 AM
To: Craig; LEAF
Subject: Re: [leaf-user] Identifying the "scanning" culprit???
Hello again Craig,
If you're using weblet (Bering comes with it default) you can so something
like this:
in /var/sh-www/cgi-bin/viewhits, hitssort)
sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\<\/td\>\\A
rin\<\/a\> - \\3\<\/a\><\/td\>\\1\<\/td\>\<\/tr\>/'|\
so that I can just click to query arin. I also do this in "messages" and
"x"
in the viewhits script. You should be able to figure out how from this
example (hopefully ;).
--- Craig <[EMAIL PROTECTED]> wrote:
> Hi folks,
> I often see a lot of messages in my Bering logs from the 12.246.x.x
> network, which I suspect is my ISP. Is there any way you can accurately
> identify who a network/subnet belongs to? Thank you.
>
> Craig
__
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com
---
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone? Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
---
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone? Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Identifying the "scanning" culprit???
Hi Craig, It might be easier to just upload my scripts so that you (or anyone else interested) can download them. Beware ugly geocites page!! ;) http://www.geocities.com/casstolk/index.html Have fun! --- Craig <[EMAIL PROTECTED]> wrote: > Hi Cass, > Wow...that looks pretty cool. Unfortunately, I don't understand how to > use your script. I you could explain it to me (if you have a moment), > that would be great. Do I enter this script in a file somewhere? Which > file do I back-up to save it? Thank you. __ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Identifying the "scanning" culprit???
Hi Cass, Wow...that looks pretty cool. Unfortunately, I don't understand how to use your script. I you could explain it to me (if you have a moment), that would be great. Do I enter this script in a file somewhere? Which file do I back-up to save it? Thank you. Craig --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Identifying the "scanning" culprit???
Hello again Craig,
If you're using weblet (Bering comes with it default) you can so something
like this:
in /var/sh-www/cgi-bin/viewhits, hitssort)
sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\<\/td\>\\A
rin\<\/a\> - \\3\<\/a\><\/td\>\\1\<\/td\>\<\/tr\>/'|\
so that I can just click to query arin. I also do this in "messages" and "x"
in the viewhits script. You should be able to figure out how from this
example (hopefully ;).
--- Craig <[EMAIL PROTECTED]> wrote:
> Hi folks,
> I often see a lot of messages in my Bering logs from the 12.246.x.x
> network, which I suspect is my ISP. Is there any way you can accurately
> identify who a network/subnet belongs to? Thank you.
>
> Craig
__
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com
---
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone? Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Identifying the "scanning" culprit???
Hi Craig, Try: http://ws.arin.net/cgi-bin/whois.pl --- Craig <[EMAIL PROTECTED]> wrote: > Hi folks, > I often see a lot of messages in my Bering logs from the 12.246.x.x > network, which I suspect is my ISP. Is there any way you can accurately > identify who a network/subnet belongs to? Thank you. __ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Identifying the "scanning" culprit???
Hi folks, I often see a lot of messages in my Bering logs from the 12.246.x.x network, which I suspect is my ISP. Is there any way you can accurately identify who a network/subnet belongs to? Thank you. Craig --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
