• NAME
• SYNOPSIS
• DESCRIPTION
• CONFIGURATION FILE
• AUTHOR
• REPORTING BUGS
• COPYRIGHT

NAME

wormwarner - The warner of infected hosts

SYNOPSIS

wormwarner.pl

DESCRIPTION

Wormwarner is a perl script intended to scan apache log files for signs of hosts that are infected with Internet worms i.e. CodeRed. When it finds a sign of infection it tries to send a warning mail to the postmaster at the infected host. On start up wormwarner puts it self in the background to run as a daemon.

CONFIGURATION FILE

Configuration files are standard ascii(7) text files that may be created or edited using any standard editor. Blank lines and lines that begin with a pound sign ('#') are ignored. Any other lines are considered to be configuration lines, and have the form ``Keyword=Value'', where the ´Keyword´ is one of the currently available configuration keywords defined below, and 'Value' is the value to assign to that particular option. The file wormwarner.conf provided with the distribution contains useful documentation and an example as well. The configuration file must be called wormwarner.conf and must exist in the same direcory as wormwarner.pl

General Configuration Keywords

hostname

The hostname of the sending host. The default value is the result of (gethostbyname 'localhost')[0]. The IP of this host is included in messages to the ISP.

sender

The email address of the sender of the warning messages.

accesslog

The location of the accesslog of the apache server. The default

database

The location of the database with statistics about the scans we have seen.

ssllog

The location of the ssllog of the apache server.

errorlog

The location of the errorlog of the apache server.

logfile

The file to write the results to.

pending_user

The number of days that have to be elapsed before we will send a complaint to the ISP when we see a new scan in our logs from the same IP and we succeeded in warning the user.

pending_isp

The number of days that have to be elapsed before we will send a new complaint to the ISP when we see a new scan in our logs from the same IP.

AUTHOR

Written by Jeroen van Nieuwenhuizen.

REPORTING BUGS

Report bugs to <jnieuwen@softhome.net>

COPYRIGHT

Copyright (C) 2002-2003 by Jeroen van Nieuwenhuizen. Distributed under the GNU GPL. See the file ``LICENSE'', supplied with the distribution for additional information.