I have been getting nailed by this nimda thing and have
written this hack for getting ip addresses to filter or
block via access list at the router.
Only for apache, sorry..It picks up all the guys hitting
for the current month and you must have posix gawk installed. At worst you could take the output:
for i in $(bin/log_parser)
do
host -options $i
done
get name resolution and then send them some mail.
---------------------------------------------------cut here
#!/bin/sh
#log_parser
fine_filt() {
awk ' {
gsub(/\[client/,"",$0)
gsub(/\].*/,"",$0)
}'
}
all_sol() {
#static args
F="/var/log/httpd/error_log"
awk ' {
n =strftime()
nt = substr(n,4,5)
if ($0 ~ /default.ida/ || $0 ~ /cmd.exe/ && $0 ~ nt) {
pots = $0
split (pots, p_arr, /\[.*\] \[error\]/)
}
for (a in p_arr) {
p_arr[x] = substr(p_arr[a],1,26)
print p_arr[x]
}
}' $F | sort -u
}
getdates() {
for x in $(exec pathto$0)
do
awk -v all=$x ' {
if ($0 ~ all) {
print substr($0,2,24)
}
}' /var/log/httpd/err*
done
}
db_hold="/tmp/queries"
if [ ! -z "$1" ] && [ "$1" = "date" ]
then
getdates
else
all_sol | fine_filt > $db_hold
fi
cat "/tmp/queries"
----------------------------------------------------end here
This is a free hack and should be tested before you use it.
Works for me, but if it blows up your machine I am not responsible.