script to get unique IP's of all Sanity.A worms for blocking

frankoamiricano · Post by **frankoamiricano** » Tue Jan 25, 2005 4:21 am

The below code will help you get a clean block list on who has the sanity worm and is hitting you, you can then adapt to put that IP in a block list.

Code: Select all

#!/bin/bash

# this is the log file with the messy poo poo in it
FILE="/var/log/httpd/access_log"

# not sure this is the best way to find the bad lines, could be aggressive, I think not
grep '(chr(' $FILE > /tmp/sanity

#Get just the IP from the file
cat /tmp/sanity | awk '{ print $2}' > /tmp/sanity_ip

# get just the unique list
sort -u /tmp/sanity_ip > ~/sanity_unique.txt

# wipe after done
rm /tmp/sanity /tmp/sanity_ip

What I would really like to do is find a way to get the log lines out of my main log, I used a rewrite condition from someone else, and it is blocking the traffic, but my logs are getting muddy and large.

espicom · Post by **espicom** » Tue Jan 25, 2005 4:52 am

Unfortunately, your script makes some assumptions about the log file format that might not be true... in my case, the IP is the FIRST field in the string, not the second. The result of the script, as written, is "-"...

frankoamiricano · Post by **frankoamiricano** » Tue Jan 25, 2005 5:13 am

espicom wrote: Unfortunately, your script makes some assumptions about the log file format that might not be true... in my case, the IP is the FIRST field in the string, not the second. The result of the script, as written, is "-"...

Sorry about that, yes, this is more for a virtual host log format, but changing the field $ should be pretty simple, if anyone gets stuck, let me know.

advertisements