79 lines
2.8 KiB
Bash
79 lines
2.8 KiB
Bash
#!/bin/bash
|
|
|
|
# Script de détection des machines infectées par Conficker
|
|
# Copyright (c) 2009 Michel Blockelet <blockelet@crans.org>
|
|
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation; either version 2 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program; if not, write to the Free Software
|
|
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA.
|
|
|
|
|
|
if [ "`hostname`" != "sable" ]
|
|
then
|
|
echo "Vous devez exécuter ce script sur sable !"
|
|
exit 1
|
|
fi
|
|
|
|
# On initialise les fichiers utilisés par le script
|
|
# (Par défaut, ces fichiers sont laissés pour ne pas avoir à reexécuter le
|
|
# script ...)
|
|
echo " * Initialisation des fichiers ..."
|
|
FILES="base ip_reqip ip_reqip_stats reverse_dns compromised stats"
|
|
rm -f $FILES
|
|
touch $FILES
|
|
chmod go-rwx $FILES
|
|
|
|
# On regarde les lignes de la forme "...GET http://[une ip]/search?..."
|
|
echo -n " * Recherche des lignes de logs correspondantes ... [> base] Lignes : "
|
|
sudo egrep "GET http://([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}/search\?" /var/log/squid/access.log | tee base | wc -l
|
|
|
|
# On récupère les IPs dans les lignes
|
|
echo -n " * Récupération des IP sources et destinations ... [> ip_reqip] Lignes : "
|
|
cat base | sed 's/^.* \(.*\) TCP.* http:\/\/\(.*\)\/search.*$/\1 \2/' | tee ip_reqip | wc -l
|
|
|
|
# On trie les IPs et on génère les stats de requêtes
|
|
echo -n " * Tri, comptage ... [> ip_reqip_stats] Lignes : "
|
|
cat ip_reqip | sort | uniq -c | tee ip_reqip_stats | wc -l
|
|
|
|
# On regarde le reverse DNS de chaque IP destination
|
|
echo -n " * Reverse DNS des IPs destination ... [> reverse_dns] Lignes : "
|
|
for SEARCHIP in `cat ip_reqip | awk '{print $2}' | sort | uniq`
|
|
do
|
|
echo -n "$SEARCHIP " >> reverse_dns
|
|
host $SEARCHIP >> reverse_dns
|
|
done
|
|
cat reverse_dns | wc -l
|
|
cat reverse_dns
|
|
|
|
# On garde les IPs destination n'ayant pas de reverse DNS
|
|
# (peut-être est-ce trop restrictif ?)
|
|
echo -n " * Recherche des hôtes compromis ... [> compromised] Lignes : "
|
|
for SEARCHIP in `grep "not found" reverse_dns | awk '{print $1}'`
|
|
do
|
|
echo " * $SEARCHIP" >> stats
|
|
for NEWIP in `grep $SEARCHIP ip_reqip | awk '{print $1}' | sort | uniq`
|
|
do
|
|
if ! grep $NEWIP compromised > /dev/null
|
|
then
|
|
echo -n "$NEWIP " >> compromised
|
|
host $NEWIP >> compromised
|
|
fi
|
|
done
|
|
grep $SEARCHIP ip_reqip_stats >> stats
|
|
done
|
|
cat compromised | wc -l
|
|
cat compromised
|
|
|
|
# On affiche les statistiques
|
|
echo " * Statistiques ... [> stats]"
|
|
cat stats
|