#!/usr/bin/perl # Exploit Scan Monitor by bansh33 [www.r00tabega.com] # Monitors the Apache access_log and looks # for indications of an exploit scan. If a scan is detected, # a new "exploit scan log" is created. # Maybe somebody wants to port this to an actual apache module? # Catch me on EFNet in #r00tabega. # This is basically just a quick hack so it not really "optimized". print "Starting Exploit Scan Monitor [www.r00tabega.com]...\n"; # ---Set the following variables--- $path = "/var/log/httpd/access_log"; $logfile = "/var/log/httpd/exploit_scan_log"; # Make sure that $logfile exists, and that you chmod it 777 open(thelog, ">>$logfile"); open(access, "$path"); $phf = 0; $whoisraw = 0; $nphtest = 0; $i = 0; print "Loaded. Process ID: "; print $$; print "\n"; @access = ; foreach $info (@access) { $i++; } close(access); while (1) { $k = 0; open(access2, "$path"); while() { $k++; } if ($k > $i) { #detected a change in the access_log file # while this may not be the best way to pick up scans, it # deems something an exploit scan if it sees requests # for /cgi-bin/phf, /cgi-bin/whois_raw.cgi and /cgi-bin/nph-test-cgi # from the same ip. i see no real need to check for anything else @access2 = ; foreach $request (@access2) { @line = split(/\-/, $request); @line2 = split(/ /, $line[0]); $ip = $line2[0]; if ($request =~ "/cgi-bin/phf") { $phf = 1; $phfip = $ip;} if ($request =~ "/cgi-bin/nph-test-cgi") { $nphtest = 1; $nphip = $ip;} if ($request =~ "/cgi-bin/whois_raw.cgi") { $whoisraw = 1; $whoisip = $ip;} if ($phf + $nphtest + $whoisraw == 3) { if ($phfip == $whoisip) { if ($whoisip == $nphip) { # a scan has been detected!@$*&^ heh @date = `date`; chomp($date[0]); print thelog "---Exploit Scan Detected from $phfip on $date[0]---\n"; $phf = 0; $nphtest = 0; $whoisraw = 0; }}} } } close(access2); $currentip = $ip; $i = $k; } close(thelog);