script to get unique IP's of all Sanity.A worms for blocking

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
frankoamiricano
Registered User
Posts: 73
Joined: Thu Apr 11, 2002 3:24 am

script to get unique IP's of all Sanity.A worms for blocking

Post by frankoamiricano »

The below code will help you get a clean block list on who has the sanity worm and is hitting you, you can then adapt to put that IP in a block list.

Code: Select all

#!/bin/bash

# this is the log file with the messy poo poo in it
FILE="/var/log/httpd/access_log"

# not sure this is the best way to find the bad lines, could be aggressive, I think not
grep '(chr(' $FILE > /tmp/sanity

#Get just the IP from the file
cat /tmp/sanity | awk '{ print $2}' > /tmp/sanity_ip

# get just the unique list
sort -u /tmp/sanity_ip > ~/sanity_unique.txt

# wipe after done
rm /tmp/sanity /tmp/sanity_ip

What I would really like to do is find a way to get the log lines out of my main log, I used a rewrite condition from someone else, and it is blocking the traffic, but my logs are getting muddy and large.
espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom »

Unfortunately, your script makes some assumptions about the log file format that might not be true... in my case, the IP is the FIRST field in the string, not the second. The result of the script, as written, is "-"... :)
frankoamiricano
Registered User
Posts: 73
Joined: Thu Apr 11, 2002 3:24 am

Post by frankoamiricano »

espicom wrote: Unfortunately, your script makes some assumptions about the log file format that might not be true... in my case, the IP is the FIRST field in the string, not the second. The result of the script, as written, is "-"... :)


Sorry about that, yes, this is more for a virtual host log format, but changing the field $ should be pretty simple, if anyone gets stuck, let me know.
Locked

Return to “2.0.x Support Forum”