#!/usr/bin/perl # # Watcher.cgi / WormSign.cgi # A passive intrusion detection tool # Written by The Rev. Dr. Jackal-Headed God # Configuration Stuff # $recipient = "admin\@opiwqeoip.com"; @cclist = ("someone\@opiwqeoip.com", "someone_else\@opiwqeoip.com"); $smtp_server_name = "xxx.xxx.146.8"; $smtp_pickup_path = "c:\\inetpub\\mailroot\\pickup\\"; $errorCode = "1013"; # Catch-all error code $request = "unknown_error"; # Catch-all code part deux # What HTTP errors should tripper an e-mail alert? @mailtrigger = ("400", "401", "403", "405", "406", "407", "412", "414", "500", "502", "1013"); # Error codes and descriptions returned to the user. %errors = ( "400" => "Bad request|Due to malformed syntax, the request could not be understood by the server. The client should not repeat the request without modifications.", "401" => "Unauthorized: Logon Failed|This error indicates that the credentials passed to the server do not match the the credentials required to log on to the server. Please contact the Web server's administrator to verify that you have permission to access the requested resource.", "401.1" => "Unauthorized: Logon Failed|This error indicates that the credentials passed to the server do not match the credentials required to log on to the server. Please contact the Web server's administrator to verify that you have permission to access the requested resource.", "401.2" => "Unauthorized: Logon Failed due to server configuration|This error indicates that the credentials passed to the server do not match the credentials required to log on to the server. This is usually caused by not sending the proper WWW-Authenticate header field. Please contact the Web server's administrator to verify that you have permission to access the requested resource.", "401.3" => "Unauthorized: Unauthorized due to ACL on resource|This error indicates that the credentials passed to the server do not match the credentials required to log on to the server. This resource could be either the page or file listed in the address line of the client, or it could be another file on the server that is needed to process the file listed on the address line of the client. Please make a note of the entire address you were trying to access and then contact the Web server's administrator to verify that you have permission to access the requested resource.", "401.4" => "Unauthorized: Authorization failed by filter|This error indicates that the Web server has a filter program installed to verify users connecting to the server. The authorization used to connect to the server was denied access by this filter program. Please make a note of the entire address you were trying to access and then contact the Web server's administrator to verify that you have permission to access the requested resource.", "401.5" => "Unauthorized: Authorization failed by ISAPI/CGI app|This error indicates that the address on the Web server you attempted to use has an ISAPI or CGI program installed that verifies user credentials before proceeding. The authentication used to connect to the server was denied access by this program. Please make a note of the entire address you were trying to access and then contact the Web server's administrator to verify that you have permission to access the requested resource.", "403" => "Access Forbidden|Access to this URL is not allowed. Please use the 'Back' button on your browser, or select a link from the navigation sidebar to the left.", "403.1" => "Forbidden: Execute Access Forbidden|This error can be caused if you try to execute a CGI, ISAPI, or other executable program from a directory that does not allow programs to be executed. Please contact the Web server's administrator if the problem persists.", "403.10" => "Access Forbidden: Invalid Configuration|There is a configuration problem on the Web server at this time. Please contact the Web server's administrator if the problem persists.", "403.11" => "Access Forbidden: Password Change|This error can be caused if the user has entered the wrong password during authentication. Please refresh the page and try again. Please contact the Web server's administrator if the problem persists.", "403.12" => "Access Forbidden: Mapper Denied Access|Your client certificate map has been denied access to this Web site. Please contact the site administrator to establish client certificate permissions. You can also change your client certificate and retry, if appropriate.", "403.2" => "Forbidden: Read Access Forbidden|This error can be caused if there is no default page available and directory browsing has not been enable for the directory, or if you are trying to display an HTML page that resides in a directory marked for Execute or Script permissions only. Please contact the Web server's administrator if the problem persists.", "403.3" => "Forbidden: Write Access Forbidden|This error can be caused if you attempt to upload to, or modify a file in, a directory that does not allow Write access. Please contact the Web server's administrator if the problem persists.", "403.4" => "Forbidden: SSL required|This error indicates that the page you are trying to access is secured with Secure Sockets Layer (SSL). In order to view it, you need to enable SSL by typing 'https://' at the beginning of the address you are attempting to reach. Please contact the Web server's administrator if the problem persists.", "403.5" => "Forbidden: SSL 128 required|This error message indicates that the resource you are trying to access is secured with a 128-bit version of Secure Sockets Layer (SSL). In order to view this resource, you need a browser that supports this level of SSL. Please confirm that your brower supports 128-bit SSL security. If it does, then contact the Web server's administrator and report the problem.", "403.6" => "Forbidden: IP address rejected|This error is caused when the server has a list of IP addresses that are not allowed to access the site, and the IP address you are using is in this list. Please contact the Web server's administrator if the problem persists.", "403.7" => "Forbidden: Client certificate required|This error occurts when the resource you are attempting to access requires your browser to have a client Secure Sockets Layer (SSL) certificate that the server recognizes. This is used for authenticating you as a valid user of the resource. Please contact the Web server's administrator if the problem persists.", "403.8" => "Forbidden: Site access denied|This error can be caused if the Web server is not servicing requests, or if you do not have permission to connect to the site. Please contact the Web server's administrator if the problem persists.", "403.9" => "Access Forbidden: Too many users are connected|This error can be caused if the Web server is busy and cannot process your request due to heavy traffic. Please try to connect again later. Please contact the Web server's administrator if the problem persists.", "403.14" => "Access Forbidden|Directory listings are not allowed. Please use the 'Back' button on your browser, or select a link from the navigation sidebar to the left.", "404" => "Page Not Found|The server could not locate the page that you requested.", "405" => "Method Not Allowed|The method specified in the Request Line is not allowed for the resource identified by the request. Please ensure that you have the proper MIME type set up for the resource you are requesting. Please contact the Web server's administrator if the problem persists.", "406" => "Not Acceptable|The resource identified by the request can only generate response entities that have content characteristics that are 'not acceptable' according to the Accept headers sent in the request. Please contact the Web server's administrator if the problem persists.", "407" => "Proxy Authentication Required|You must authenticate with a proxy server before this request can be serviced. Please log on to your proxy server, and then try again. Please contact the Web server's administrator if the problem persists.", "412" => "Preconditino Failed|The precondition given in one or more of the Request header fields evaluated to FALSE when it was tested on the server. The client placed perconditions on the current resource metainformation (header field data) to prevent the requested method from being applied to a resource other than the one intended. Please contact the Web server's administrator if the problem persists.", "414" => "Request-URL Too Long|The server is refusing to service the request because the Request-URI is too long. This rare condition is likely to occur only in the following situations:", "500" => "Internal Server Error|The Web server is incapable of performing the request. Please try your request again later. Please contact the Web server's administrator if the problem persists.", "501" => "Not Implemented|The Web server does not support the functionality required to fulfill the request. Please check your URL for errors, and contact the Web server's administrator if the problem persists.", "502" => "Bad Gateway|The server, while acting as a gateway or proxy, received an invalid response from the upstream server it accessed in attempted to fulfill the request. Please contact the Web server's administrator if the problem persists.", "1013" => "Something Bizarre Just Happened|A really bizarre error has occurred. I have no idea what you just did, but I'll certainly try to figure it out." ); &getError; &getDateTime; &returnHTML; &writeMail; # Subroutines sub getError { if ($ENV{'QUERY_STRING'}) { ($errorCode, $request) = split /;/, $ENV{'QUERY_STRING'}, 2; } $errorName = $errors{$errorCode}; $errorName =~ s/\|.+//; $errorDesc = $errors{$errorCode}; $errorDesc =~ s/.+\|//; } sub getDateTime { my ($sec, $min, $hour, $mday, $mon, $year, $wday) = gmtime((time - 21600)); # GMT - 6 hours (21600 seconds) = CST my $ampm; my $hrformat; $year = 1990 + $year; if ($min < 10) { $min = "0$min"; } if ($sec < 10) { $sec = "0$sec"; } if ($hour < 12) { $ampm = "am"; } else { $ampm = "pm"; } if ($hour eq "0") { $hour = "12"; } $datetime = ($mon + 1) . "\/$mday\/$year at $hour:$min $ampm CST"; } sub returnHTML { print "Content-type: text/html\r\n\r\n"; print "\n"; print "\n"; print "Error: $errorName ($errorCode)\n"; print "\n"; print "\n"; print "

\n"; print "
\n"; print "

An error has occurred. Details are provided below:

\n"; print "\n"; print "\n"; print "\n"; print "\n"; print "
\n"; print "\n"; print "\n"; print "\n"; print "\n"; print "
\n"; print "

$errorName ($errorCode)

$errorDesc

\n"; print "
\n"; print "
\n"; print "
\n"; print "
\n"; print "

If you continue having difficulties, please contact the webmaster. Be sure to specify the error code ($errorCode) and the page you were trying to access ($request).

\n"; print "
\n"; print "\n"; print "\n"; } sub writeMail { # First, check the list of trigger errors my $found; foreach my $errorCode (@mailtrigger) { if ($errorCode eq $errorCode) { $found = "true"; last; } } # If this error condition is in our triggerlist, send an emai warning if ($found eq "true") { my $server_name = lc($ENV{'COMPUTERNAME'}); my $from_name = "$server_name Watcher"; my $from_email = "$server_name\@opiwqeoip.com"; my $subject = "$server_name.opiwqeoip.com Server Error ($errorCode $errorName)"; $random = int (rand(1000)); $tempfile = "watcher_$random.txt"; open TMP, ">>$smtp_pickup_path$tempfile" or die; print TMP "x-sender: $from_email\n"; print TMP "x-receiver: $recipient\n"; if (@cclist) { foreach my $ccaddress (@cclist) { print TMP "x-receiver: $ccaddress\n"; } } print TMP "To: $recipient\n"; print TMP "CC: @cclist\n"; print TMP "From: $from_name <$from_email>\n"; print TMP "Subject: $subject\n"; print TMP "\r\n"; print TMP "A server error occurred on $datetime. Details below.\n"; print TMP "------------------------------------------------------------------------------------\n"; print TMP "This error message was returned to the user:\n\n"; print TMP "$errorName ($errorCode)\n\n$errorDesc\n"; print TMP "------------------------------------------------------------------------------------\n"; print TMP "\nREQUEST INFO\n----------------\n"; print TMP "Referrer: $ENV{'HTTP_REFERER'}\n"; print TMP "Request: $request\n"; print TMP "Query String: $ENV{'QUERY_STRING'}\n"; print TMP "Method: $ENV{'REQUEST_METHOD'}\n"; print TMP "Port: $ENV{'SERVER_PORT'}\n"; print TMP "Protocol: $ENV{'SERVER_PROTOCOL'}\n"; print TMP "\r\n"; print TMP "\nUSER INFO\n----------------\n"; print TMP "Remote address: $ENV{'REMOTE_ADDR'}\n"; print TMP "Remote host: $ENV{'REMOTE_HOST'}\n"; print TMP "User Agent: $ENV{'HTTP_USER_AGENT'}\n"; print TMP "Remote Ident: $ENV{'REMOTE IDENT'}\n"; print TMP "Remote User: $ENV{'REMOTE_USER'}\n"; print TMP "Authorization Type: $ENV{'AUTH_TYPE'}\n"; print TMP "\r\n"; print TMP "\nRESPONSE INFO\n----------------\n"; print TMP "Script name: $ENV{'SCRIPT_NAME'}\n"; print TMP "Content Length: $ENV{'CONTENT_LENGTH'}\n"; print TMP "Content Type: $ENV{'CONTENT_TYPE'}\n"; print TMP "Path Info: $ENV{'PATH_INFO'}\n"; print TMP "Translated Path: $ENV{'PATH_TRANSLATED'}\n"; print TMP "\r\n"; print TMP "\nSERVER INFO\n----------------\n"; print TMP "Server Name: $ENV{'SERVER_NAME'}\n"; print TMP "Computer Name: $ENV{'COMPUTERNAME'}\n"; print TMP "Gateway Interface: $ENV{'GATEWAY_INTERFACE'}\n"; print TMP "Server Software: $ENV{'SERVER SOFTWARE'}\n"; print TMP "System Drive: $ENV{'SYSTEMDRIVE'}\n"; print TMP "System Root: $ENV{'SYSTEMROOT'}\n"; print TMP "Windows Directory: $ENV{'WINDIR'}\n"; print TMP "User Profile: $ENV{'USERPROFILE'}\n"; print TMP "Path: $ENV{'PATH'}\n"; print TMP "\r\n"; close TMP; } }