#!/usr/bin/perl # IISBLOCK - Infected IIS server blocking utility. # by Bill Larson <blarson@compu.net> of Compu-Net Enterprises. # http://www.compu.net. This header must be kept intact if you # wish to redistribute the script. my $check = 0; my $line = ""; my $weblog = "/etc/www/logs/access_log"; my $infection = "/root/infected"; my $removelist = "/root/fwclean"; # create the removelist file so that you can chmod it later and # automatically clear the firewall.. chmod 700 iisblock open (HTFILE3, ">$removelist"); print HTFILE3 "#!/bin/sh\n"; close(HTFILE3); #open the web server log file specified above and start processing open (HTFILE, "$weblog"); until (eof (HTFILE)) { $line =<HTFILE>; chop ($line); #Pattern match on IIS Attempts then strip down to the hostname/ip addresss if ($line =~ /.*\/winnt\/system32\/.*/) { $line =~ s/\ -.*//gi; # This host is infected so lets do something about it. &infected; } } close(HTFILE); sub infected { $check = 0; # begin a check to ensure that we only take action once. open (HTFILE2, "$infection"); until (eof (HTFILE2)){ $dupe =<HTFILE2>; chop ($dupe); if ($line =~ /$dupe/){ $check = 1; } else { } } close(HTFILE2); # If this is a unique host continue if ($check eq "0") { # time to add to the list of infected hosts open (HTFILE2, ">>$infection"); print HTFILE2 "$line\n"; close(HTFILE2); # add using the specified add command # firewall software will print an error on invalid hostnames. # Zap them one at a time maunally system ("/sbin/ipchains -I input -s $line -j DENY -l"); # write firewall removal line to the remove list file # modify this line for your specific firewall software open (HTFILE3, ">>$removelist"); print HTFILE3 "/sbin/ipchains -D input -s $line -j DENY -l\n"; close(HTFILE3); } # That's all folks! }