#!/usr/bin/perl -w # riplog-v4.pl # INFO: revised # This proggie will use smbmount and check your remote NT # webserver logfiles for attacks. it will log all possible attacks to default dump.out # NOTE: You can add vulns to the array to check for them also or modify the ones # you dont need. # If you would like to watch logs do: tail -f -n 20 ~$username/dump.out # Or just use the -l arg and log to $PATH_OF_CHOICE # by: Christopher M Downs # http://angrypacket.com # dmuz,Methodic,enz00+crew -> WoOP # Sample of Standard out. # ---------------------- #Found: ex011015.log #Possible Attack:-> /default.ida? Status: LOGGED #Found: ex011016.log #Possible Attack:-> /default.ida? Status: LOGGED #Found: ex011017.log #Possible Attack:-> /default.ida? Status: LOGGED #Possible Attack:-> ../.. Status: LOGGED #Possible Attack:-> ../.. Status: LOGGED #Possible Attack:-> ../.. Status: LOGGED #Found: ex011018.log #Found: ex011019.log # ---------------------- system("clear"); #NOTE -> make sure you have Term::ANSIColor installed # for pretty output. use Term::ANSIColor; # Getopt:Std is standard with perl distro use Getopt::Std; # ok lets gather some information. getopts("t:u:m:l:o:?", \%args); if($args{t}) { $target = $args{t}; } if($args{u}) { $username = $args{u}; $outputfile = "/home/$username/dump.out"; } if($args{m}) { $mountpoint = $args{m}; smbmount(); } if($args{l}) { $localdir = $args{l}; } if($args{o}) { $outputfile = $args{o}; } if($args{"?"}) { usage(); } print "$logfile\n"; # lets mount webserver C volume: sub smbmount { print "\t\tStarting Riplog-v4.pl\n"; print "\t\t---------------------\n"; print "Mounting: $target\n"; system("smbmount //$target/C\$ $mountpoint \-o username=$username"); } # just add new attacks to array format below. @vuln_array = ( "/cmd.exe", "/scripts/..%c0%af../", "/scripts/..%c1%1c../", "/scripts/..%c0%9v../", "/scripts/..%c0%af../", "/scripts/..%c0%qf../", "/scripts/..%c1%8s../", "/scripts/..%c1%9c../", "/scripts/..%c1%pc../", ":3052/\../\../\../\..\/\../WINNT/repair/", "/winnt/system32/tftp.exe", "/default.ida?", "/whisker.ida", "/whisker.idq", "/whisker.idc", "/whisker.htw", "/whisker.htr", "/winnt/system32/cmd.exe?", "/cgi-bin/rwwwshell.pl", "/cgi-bin/unlg1.1", "/cgi-bin/unlg1.2", "/cgi-bin/gH.cgi", "/cgi-bin/phf", "/cgi-bin/Count.cgi", "/cgi-bin/test-cgi", "/cgi-bin/nph-test-cgi", "/cgi-bin/nph-publish", "/cgi-bin/php.cgi", "/cgi-bin/php", "/cgi-bin/handler", "/cgi-bin/webgais", "/cgi-bin/websendmail", "/cgi-bin/webdist.cgi", "/cgi-bin/faxsurvey", "/cgi-bin/htmlscript", "/cgi-bin/pfdisplay.cgi", "/cgi-bin/perl.exe", "/cgi-bin/perl", "/cgi-bin/wwwboard.pl", "/cgi-bin/wwwboard.cgi", "/cgi-bin/www-sql", "/cgi-bin/view-source", "/cgi-bin/campas", "/cgi-bin/aglimpse", "/cgi-bin/glimpse", "/cgi-bin/man.sh", "/cgi-bin/AT-admin.cgi", "/cgi-bin/filemail.pl", "/cgi-bin/maillist.pl", "/cgi-bin/jj", "/cgi-bin/info2www", "/cgi-bin/files.pl", "/cgi-bin/finger", "/cgi-bin/bnbform.cgi", "/cgi-bin/survey.cgi", "/cgi-bin/AnyForm2", "/cgi-bin/textcounter.pl", "/cgi-bin/classifieds.cgi", "/cgi-bin/environ.cgi", "/cgi-bin/wrap", "/cgi-bin/cgiwrap", "/cgi-bin/guestbook.cgi", "/cgi-bin/guestbook.pl", "/cgi-bin/edit.pl", "/cgi-bin/perlshop.cgi", "/cgi-bin/webbbs.cgi", "/cgi-bin/whois_raw.cgi", "/cgi-bin/AnyBoard.cgi", "/cgi-bin/dumpenv.pl", "/_vti_pvt/service.pwd", "/_vti_pvt/users.pwd", "/_vti_pvt/authors.pwd", "/_vti_pvt/administrators.pwd", "/_vti_bin/shtml.exe", "/cgi-dos/args.bat", "/cgi-win/uploader.exe", "/cgi-bin/rguest.exe", "/cgi-bin/wguest.exe", "/scripts/iisadmin/bdir.htr", "/scripts/CGImail.exe", "/scripts/tools/newdsn.exe", "/scripts/fpcount.exe", "/cfdocs/expelvel/openfile.cfm", "/cfdocs/expelval/exprcalc.cfm", "/cfdocs/expelval/displayopenedfile.cfm", "/iissamples/exair/howitworks/codebrws.asp", "/iissamples/sdk/asp/docs/codebrws.asp", "/msads/Samples/SELECTOR/showcode.asp", "/search97.vts", "/carbo.dll", "/cgi-bin/pfdisplay", "/cgi-bin/filemail.cgi", "/cgi-bin/maillist.cgi", "/_vti_pvt/admin.pwd", "/_vti_pwd/administrators.pwd", "/scripts/issadmin/bdir.htr", "/scripts/counter.exe", "/scripts/visadmin.exe", "/scripts/perl.exe", "/cfdocs/expelval/openfile.cfm", "/cfdocs/expelval/sendmail.cfm", "/domcfg.nsf/?open", "/?PageServices", "/....../autoexec.bat", "/iisadmpwd/achg.htr", "/cgi-bin/passwd", "/cgi-bin/passwd.txt", "/cgi-bin/password", "/cgi-bin/password.txt", "/cgi-bin/ax.cgi", "/cgi-bin/ax-admin.cgi", "/scripts/convert.bas", "/session/admnlogin", "/cgi-bin/cachemgr.cgi", "/cgi-bin/query", "/cgi-bin/rpm_query", "/cgi-bin/dbmlparser.exe", "/cgi-bin/flexform.cgi", "/cgi-bin/responder.cgi", "/cgi-bin/imagemap.exe", "/cfdocs/cfmlsyntaxcheck.cfm", "/cfdocs/snippets/fileexist.cfm", "/cfappman/index.cfm", "/scripts/cpshost.dll", "/samples/search/queryhit.htm", "/msadc/msadcs.dll", "/scripts/proxy/w3proxy.dll", "/cgi-bin/MachineInfo", "/cgi-bin/lwgate", "/cgi-bin/lwgate.cgi", "/cgi-bin/LWGate", "/cgi-bin/LWGate.cgi", "/cgi-bin/nlog-smb.cgi", "/cgi-bin/icat", "/cgi-bin/axs.cgi", "/publisher/", "/cgi-bin/mlog.phtml", "/ssi/envout.bat", "/cgi-bin/archie", "/cgi-bin/bb-hist.sh", "/cgi-bin/nph-error.pl", "/cgi-bin/post_query", "/cgi-bin/ppdscgi.exe", "/cgi-bin/webmap.cgi", "/scripts/tools/getdrvs.exe", "/cgi-bin/upload.pl", "/scripts/pu3.pl", "/WebShop/logs/cc.txt", "/WebShop/templates/cc.txt", "/quikstore.cfg", "/PDG_Cart/shopper.conf", "/PDG_Cart/order.log", "/pw/storemgr.pw", "/iissamples/iissamples/query.asp", "/iissamples/exair/search/advsearch.asp", "/iisadmpwd/aexp2.htr", "/adsamples/config/site.csc", "/.html/............../config.sys", "/cgi-bin/add_ftp.cgi", "/cgi-bin/architext_query.cgi", "/cgi-bin/w3-msql/", "/cgi-bin/bigconf.cgi", "/cgi-bin/get32.exe", "/cgi-bin/alibaba.pl", "/cgi-bin/tst.bat", "/status", "/cgi-bin/search.cgi", "/scripts/samples/search/webhits.exe", "/aux", "/com1", "/com2", "/com3", "/lpt", "/con", "/cgi-shl/win-c-sample.exe", "../..", "/cgi-bin/classified.cgi", "/cgi-bin/download.cgi", "../../boot.ini", "/default.asp.", "/cgi-bin/testcgi.exe", "/cgi-bin/FormHandler.cgi", "/cgi-bin/cgitest.exe", "/cgi-bin/meta.pl", "/cgi-bin/test-cgi.tcl", "/cgi-bin/day5datacopier.cgi", "/photoads/", "/photoads/cgi-bin/", "/photoads/cgi-bin/env.cgi" ); @weblogarray = (); #RIK for NT only if ( $mountpoint ) { $logdir = "$mountpoint" . "WINNT/system32/Logfiles/W3svc1/"; } else { # local -> use $arg{l} for full $PATH $logdir = $args{l}; } opendir(WEBLOGTEST, "$logdir") || die "Cannot open: $logdir $!"; while($weblogfile = readdir(WEBLOGTEST)) { if($weblogfile =~ /^ex/ || $weblogfile =~ /^ac/) { print "Found: $weblogfile\n"; $weblogfound = $logdir . $weblogfile; open(WEBLOGFILE, "< $weblogfound") || die "cannot open: $weblogfile $!"; while() { chomp; push(@weblogarray, $_); foreach $element1(@vuln_array) { if( ($_ =~ /GET $element1 /i) || ($_ =~ /POST $element1 /i) ) { print color("red"), "Possible Attack:-> $element1 Status: LOGGED\n", color("reset"); printToLog("Requested Resource: $element1\t" . "From: $_ \n"); } } } } else { print "Skipping: \n"; } } closedir(WEBLOGTEST); close(WEBLOGFILE); # Sub for $outputfile sub printToLog() { my (@text) = @_; open(OUTPUT, ">> $outputfile") || die "Fatal: Could not open $outputfile for writing: $!"; print OUTPUT @text; close(OUTPUT); } # Main Sub for USAGE sub usage { print < -u Username -m Mount point (remote SMB machine) -t Target Machine -l Local dir $PATH logfiles (no SMB mount required) -o Output filename -? This menu Sample: riplog-v3.pl -u fred -m /home/fred/mnt/SERVERNAME/C/ -t SERVERNAME Sample: riplog-v3.pl -l /home/username/logfile/ -o ~username/dump.out NOTE: Make sure you have Admin Priviledges to the C$ volume or this app will not work! * YOU HAVE BEEN WARNED! USAGE exit; }