Make your own free website on Tripod.com

Das Shutdown Tool und das DB2 Plugin findet ihr hier

Welcome to the homepage of the 'autoabuse' script for linux,written by nme.
I had a lot of exams during the last weeks, but know the project will be continued.
I think I will change the script to run as a cron job once a day...so stay tuned.


Digits Counter

nme@myrealbox.com

DESCRIPTION
DOWNLOAD
UPDATES
!!COMMENTS!!

EXAMPLE OF AN ABUSE MAIL (german)

DESCRIPTION:
This script monitores the default SuSE Linux firewall log /var/log/messages vor incoming
port scans on 27374 (Sub7 Trojan), 1243 (Sub7), 12345 (NetBus).
If someone scans you for trojans, the script queries the ripe whois
database (*check comments at bottom!) and
automatically sends an abuse email to the ISP of the attacker.

On some days I have about 10-30 scans for trojans like Sub7, BO or Netbus and sometimes
I used to manually send abuse mails to the ISPs. But with this script you can kick every
script kiddies butt :)

Download: (CHECK COMMENTS BEFORE!!)
autoabuse-v0.1.tar.gz
autoabuse-v0.11.tar.gz
autoabuse-v0.12.tar.gz
autoabuse-v0.13.tar.gz
autoabuse-v0.14.tar.gz
autoabuse-v0.15.tar.gz
autoabuse-v0.16.tar.gz

Für alle deutschen Besucher interessant:
My sponsor RCS-SHOP.de!
www.rcs-shop.de

sourcecode:
autoabuse-v0.1.txt
autoabuse-v0.11.txt


UPDATES:
22.06.01 15:56
autoabuse v0.16
-did some modifications inspired by stevens email he sent me,
i think the script is somehow more efficient now.
-minor fixes

21.06.01 15:02
autoabuse v0.15
-added support for port 31337 Back Orifice
-new var WHOIS to set whois host (if NON-europe)
-minor fixes

20.06.01 19:17
autoabuse v0.14
-added support not only for 27374 but 1243 and 12345
-new var to hold attacked port and trojans name
-new abuse@ parsing method supports most ISPs (except stupid AOL!!!!)
-minor fixes

19.06.01 21:28
autoabuse v0.13
-minor fixes
-changed subject line to contain number of abuse messages NEED WRITE PERMISSIONS!

19.06.01 16:10
autoabuse v0.12
-minor fixes

18.06.2001
autoabuse v0.11
-check if t-ipnet.de is down and send to abuse@t-online.de instead

17.06.2001
there seems to be an error if u directly want to send emails to abuse@t-ipnet.de.
the domain seems to be unreachable or unknown to 'sendmail'
keep an eye out on updates!

16.06.2001
autoabuse v0.1 (still beta) supports:
-queries for T-Online
-queries for T-Online DSL
-maybe other ISPs (mail me: nme@myrealbox.com)


(*) COMMENTS:
-TESTED WITH SUSE LINUX 6.4!
-And as usual scripts like this one come WITHOUT ANY WARRANTY! USE AT OWN RISK!
-if you are not from europe you might have to change the whois host whois.ripe.net
to whois.arin.net (USA) or whois.apnic.net (Asia/Pacific) !
-AOL offers no abuse contact in the arin database. maybe ill fix these lamers this week
but i think they are not interested if someone abuses their network....NARF!


EXAMPLE OF AN ABUSE MAIL:
----THIS IS AN AUTOMATICALLY GENERATED MAIL----
---- by 'autoabuse v0.14' ----

----DIES IST EINE AUTOMATISCH GENERIERTE MAIL----
---- von 'autoabuse v0.14' ----


REPLY TO : $REALMAIL
ANTWORT AN: $REALMAIL

Sehr geehrte Damen und Herren,

einer Ihrer Dial-Up User hat zum wiederholten Male versucht
auf meinen Rechner Zugriff zu erlangen. Hier die Daten meiner
Firewall:

Time: ---Jun 21 14:26:27--- HackersIP: xxx.xxx.xxx.xxx:2100 tried to access: xxx.xxx.xxx.xxx:27374
Attack to: 27374 Sub7 Trojan

Jun 21 14:26:27 server kernel: Packet log: input ACCEPT ippp0 PROTO=6 xxx.xxx.xxx.xxx:2100 xxx.xxx.xxx.xxx:27374 L=48 S=0x00 I=50352 F=0x4000 T=123 SYN (#82)

Eine 'whois' Abfrage in der RIPE Datenbank ergab, dass die 'Hacker'-IP

xxx.xxx.xxx.xxx
zu

Deutsche Telekom AG
Deutsche Telekom AG, Internet service provider

gehoert.

Ich bitte Sie, den Vorgang zu verfolgen und
mich ueber Ihre Fortschritte zu informieren.

Sollten Sie ( abuse@t-online.de ) fuer diesen Vorgang nicht zustaendig sein,
leiten Sie diese eMail bitte an die entsprechende Stelle weiter.

Vielen Dank fuer Ihre Muehe!

Mit freundlichem Gruss,
$REALNAME
$REALMAIL

----------------------------------------
using 'autoabuse v0.14'
by nme in June 2001
http://autoabuse.tripod.com