
# $Header: /usr/local/sbin/RCS/scamlog,v 2.4 2002/03/21 19:06:32 samuel Exp samuel $
 # scamlog  log script companion to nimhunt

 # Copyright (C) 2001  Stephen Samuel, Vancouver, BC, Canada
 #  samuel@bcgreen.com
 #
 # This script is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Library General Public
 # License as published by the Free Software Foundation; either
 # version 2 of the License, or (at your option) any later version.
 #
 # You should have received a copy of the GNU Library General Public
 # License along with this program; if not, write to the
 # Free Software Foundation, Inc., 59 Temple Place - Suite 330,
 # Boston, MA 02111-1307, USA.
 # or check at www.gnu.org.

# who the email appears to be from:
export MailFrom=samuel@bcgreen.com

if [ -z "$MailFrom" ] ; then 
MailFrom=${USER:$LOGAME}
fi

# $Log:$

# remember to change email_to

# If AutoMail is true, then email to the domain identified 
# by the reverse DNS (via abuse.net)

AutoMail="true"

# $MailToDomains are domains to mail to, even if AutoMail is off...
# note the spaces on either end of the quoted string -- they are necessary
MailToDomains="bcgreen.com getyourassingear.com"

# $dot3domains are domains where it's best to send the complaint to the
# tertiary domain (i.e. wa.rr.com, rather than just rr.com)
#
dot3domains="rr.com|3partdomain.com"

# $email_to people get copies of all complaints
email_to="nimhunt@bcgreen.com  samuel@bcgreen.com"

# email_to=root
# email_to="samuel "
email_to2=""



GREP='grep -h "^$ip " /etc/httpd/logs/*access_log '
ip=$1
time=$2
shift
shift

count=$((`eval $GREP | grep 'GET /scripts/' | wc -l`))
if a=`nslookup -silent $ip  2>/dev/null |grep '	name ='` ; then
    name=`echo $a | awk  '{print $NF}'`
    RunTraceroute=false
    if echo $name | egrep "\.($dot3domains)$" > /dev/null ; then
	    dns_dom="`echo $name | sed --quiet 's/.*\.\([^. ][^. ]*\.[^. ][^. ]*\.[^. ][^. ]*\)\.*$/\1/p'`"
    else
	    dns_dom="`echo $name | sed --quiet 's/.*\.\([^. ][^. ]*\.[^. ][^. ]*\)\.*$/\1/p'`"
    fi
	    # Yes. those spaces are SUPPOSED to be around $MailToDomains
	    if echo " $MailToDomains " | grep -i -- " $dns_dom " ; then
		    AutoMail=true
	    fi
    if [ "$AutoMail" = true -a "$count" -gt 0 ] ; then 
	     email_to2="`echo $name | sed --quiet 's/\(.*\.\)*\([^. ][^. ]*\.[^. ][^. ]*\)\.*$/\2/p'`"@abuse.net
    fi
else
    name=$ip
    RunTraceroute="true"
fi

{
echo Reply-To: $MailFrom
echo Subject: "nimhunt 2.3 auto log ($count) for  $name"
echo To: $email_to  "$email_to2"
echo ''
echo "The machine $name  appears to be the source of a Nimda"
echo "type scan.  Please inform the affected user that (s)he needs to update"
echo "the system, and remove the virus (or stop scanning prople)."
echo ""
echo "possible nimda  scan detected from IP $ip ($name) at $time $* " 
echo ''
echo "    (for further clarity, $name is the ATTACKING system)"
echo  ''
echo "NOTE: Times are now GMT" 

echo  ''

if [ "true" = "$RunTraceroute"  ]
then
echo ' (damn.. reverse DNS failed -- using traceroute )'
traceroute "$ip" | fgrep -v '\* \* \*'| tail -5
fi

echo ''

cat

echo ''
echo ______________________________________
echo from apache access log:
echo ''
eval $GREP
echo ==================================================
echo ==================================================
echo ''

echo attack from machine name:: $name  ip:: $ip
}   | sendmail -U -f $MailFrom --   $email_to "$email_to2"
