warnisp - The warner of the ISP's of infected hosts
warnisp.pl
Warnisp.pl is a Perl scripts that parses the output logfile of
wormwarner.pl. For the hosts it could not warn it will try to find
the correct email address of the ISP to warn. If it finds such an email
address it will send a mail to the ISP and BCC's it to the sender.
The email is send using the localmail server. On start up warnisp.pl puts
it self in the background to run as a daemon.
Configuration files are standard ascii(7) text files that may be created or
edited using any standard editor. Blank lines and lines that begin with a
pound sign ('#') are ignored. Any other lines are considered to be
configuration lines, and have the form ``Keyword=Value'', where the ´Keyword´
is one of the currently available configuration keywords defined below, and
'Value' is the value to assign to that particular option. The file
wormwarner.conf provided with the distribution contains useful documentation
and an example as well. The configuration file must exists in the same
directory as warnisp.pl and must be called wormwarner.conf
General Configuration Keywords
- accesslog
-
The location of the accesslog of the apache server. The default
value is /var/log/httpd/access_log
- attack
-
It this option is set to an integer value not equal to 0 then
warnisp.pl also watches the accesslog for attacks. Currently the
following attacks are recognized:
- sfind.exe scans
-
- some IIS unicode exploits not used by worms
-
- proxy scans. (CONNECT)
-
- GET NULL.printer
-
- ATD - Mass Exploiter
-
- Nikto/Whisker hexencoded cgi-bin scans
-
- database
-
The location of the database with statistics about the scans we have seen.
- hostname
-
The hostname of the sending host. The default value is the result of
(gethostbyname 'localhost')[0]. The IP of this host is included in messages
to the ISP.
- firewallcommand
-
The command to execute for every host that is infected or has attacked us.
$IP$ in the command is substituted with the ip-number of that host. Note that
you might have to use the full path to the command. Also make sure
that you have enough permissions to execute the command.
- sender
-
The email address of the sender of the warning messages. The default
value is postmaster@hostname
- logfile
-
The file to which contains to read the wormwarner output from.
The default value is warner.log
- ipinfo
-
Contains the location of the ipinfo file. Note: You have to set this or
specify it at the commandline.
- isplog
-
The file to write the results of the ISP warning actions to. Note that
the items on which we did not have to take action or for which we could not
find an ISP are written as read from the wormwarner logfile.
- pending_user
-
The number of days that have to be elapsed before we will send a complaint to
the ISP when we see a new scan in our logs from the same IP and we succeeded in
warning the user.
- pending_isp
-
The number of days that have to be elapsed before we will send a new complaint
to the ISP when we see a new scan in our logs from the same IP.
wormwarner(1)
Written by Jeroen van Nieuwenhuizen.
Report bugs to <jnieuwen@softhome.net>
Copyright (C) 2002-2003 by Jeroen van Nieuwenhuizen. Distributed
under the GNU GPL. See the file ``LICENSE'', supplied with the distribution
for additional information.