-
Notifications
You must be signed in to change notification settings - Fork 1
/
who-hacked.pl
134 lines (102 loc) · 2.92 KB
/
who-hacked.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
#!/usr/bin/perl
=pod
=head1 NAME
who-hacked.pl - Print a list of people who tried to hack your system
=head1 SYNOPSIS
who-hacked.pl <rror-log> [<file>...]
=head1 DESCRIPTION
The I<who-hacked.pl> program analyzes the error logs and prints a list
of people who tried to break into the system.
The program uses a simple technique to detect hacking
entries, specifically
1) Attempts to access any URL with the word "winnt" in it.
2) Attempts to access a cgi script which doesn't exist.
=head1 NOTE
There are better security solutions out there.
You may want to check out http://www.snort.org for
one.
=head1 EXAMPLE
who-hacked.pl /var/log/httpd/error*
561 192.168.0.30 vcr.oualline.com
16 69.46.195.55 --unknown--
8 66.193.160.126 --unknown--
7 208.34.72.10 --unknown--
6 66.193.231.55 shiva.gameanon.net
5 65.207.49.69 host69.aetherquest.com
4 212.253.2.202 --unknown--
1 67.127.197.89 adsl-67-127-197-89.dsl.lsan03.pacbell.net
1 208.57.32.21 san-cust-208.57.32.21.mpowercom.net
1 218.1.164.46 --unknown--
1 207.192.252.238 cm-207-192-252-238.stjoseph.mo.npgco.com
1 64.79.3.92 Host03.ImageSnap.Com
1 202.107.202.14 --unknown--
1 207.192.241.9 --unknown--
=head1 AUTHOR
Steve Oualline, E<lt>[email protected]<gt>.
=head1 COPYRIGHT
Copyright 2005 Steve Oualline.
This program is distributed under the GPL.
=cut
#
# Print out a list of who tried to hack
# the system.
#
# Uses a simple technique to detect hacking
# entries, specifically
#
# 1) Attempts to access any URL with the word
# "winnt" in it.
# 2) Attempts to access a cgi script which doesn't
# exist.
#
# Usage:
# who_hacked <error_log> [<error_log> ...]
use strict;
use warnings;
use Socket; # For AF_INET
my %hackers; # Who hacked
while (<>) {
$_ =~ /client ([^\]]*)\]/;
my $who = $1; # who hacked us
# Did someone try to get to the NT stuff
if ($_ =~ /winnt/) {
$hackers{$who}++;
next;
}
# Did someone try to exploit a bad URL
if ($_ =~ /cgi-bin/) {
$hackers{$who}++;
next;
}
# Did someone try the %2E trick
if ($_ =~ /%2E/) {
$hackers{$who}++;
next;
}
}
my @hack_array; # Hackers as an array
# Turn page hash into an array
foreach my $hacker (keys %hackers) {
push(@hack_array, {
hacker => $hacker,
count => $hackers{$hacker}
});
}
# Get the "top" hackers
my @hack_top =
sort { $b->{count} <=> $a->{count} } @hack_array;
for (my $i = 0; $i < 25; ++$i) {
if (not defined($hack_top[$i])) {
last;
}
# Turn address into binary
my $iaddr = inet_aton($hack_top[$i]->{hacker});
# Turn address into name (and stuff)
my @host_info = gethostbyaddr($iaddr, AF_INET);
# Handle bad names
if (not defined($host_info[0])) {
@host_info = "--unknown--";
}
printf "%3d %-16s %s\n", $hack_top[$i]->{count},
$hack_top[$i]->{hacker}, $host_info[0];
}