#!/bin/sh ########################################################################## # autoabuse v0.1 by nme 06/2001 # # contact: nme@myrealbox.com # http://autoabuse.tripod.com # # this script is FREE for non-comercial and NON-GOVERNMENTAL use! # if you are member of a government or a governmental organisation # (police, etc) the use of this script is strictly forbidden!!!!!! # write your own.... # # all others: feel free to copy, modify, mv autoabuse /dev/null, # stick on your head, flush down the toilet or *whatever* this script. # # # WHAT THIS SCRIPT DOES # # autoabuse scans the last line of the default firewall log # (/var/log/messages) for # incoming connects to port 27374 (sub7) and contacts whois.ripe.net # to identify ISP of the scanning script kiddie. abuse contact is # being parsed from whois answer and an email is being sent to # abuse@script-kiddies-ISP.xy which hopefully makes the ISP kick # the kiddie. har har (i am baaad) # # INSTALLING AND RUNNING: # # -this script has to be run as 'root' (i know... save your breath) # -you need to have 'mail' , 'whois'and 'sendmail' binaries installed # -copy into any directory !!with write permissions!! # and run ./autoabuse # # BUGS AND DISCLAIMER: # # v0.1 BETA! # as every beta version, autoabuse comes with ABSOLUTELY NO WARRANTY # or support! RUN THIS SCRIPT OWN YOUR OWN RISK !!! I CANNOT BE HELD # responsible for any damage to hardware and / or software and / or data # on your harddisk. NEVER TRUST SCRIPTS :) check what they do. # # -this version of autoabuse only supports/and has been tested with # german provider t-Online, which hosts most of the script kiddies # (DSL flat kiddies). it MAY work with others too # -feel free to complete this script. INFORM ME OF YOUR UPDATES :) # # # LAST NOT LEAST: DO NOT ARGUE ON HOW STUPID AND AMATEUR LIKE THIS # SCRIPT IS. DON'T COMPLAIN, DO BETTER! (and send me :P ) ########################################################################### #THIS VAR MUST BE >0 TO MAKE SURE U CHECKED THE SCRIPT BEFORE RUNNING CHECKED=-1 if [ $CHECKED -le 0 ] then echo "PLEASE CHECK THE SCRIPT." echo "'CHECKED' MUST BE >0" exit 1 fi echo echo "autoabuse v0.1, created by nme in June 2001" echo "contact author: nme@myrealbox.com" echo "http://autoabuse.tripod.com" echo "non-comercial and non-governmental version." echo "-supports queries for T-Online" echo "-supports queries for T-Online DSL" echo echo "autoabuse started." #sssshhht, don't touch this :) sleep 2 echo "Checking for '/usr/bin/whois'..." #path to 'whois' executable if [ -f "/usr/bin/whois" ] then echo "FOUND..." else echo "NOT FOUND! Edit script or install 'whois' binaries..." echo "Exiting..." exit 1 fi #path to 'mail' executable echo "Checking for '/usr/bin/mail'..." if [ -f "/usr/bin/mail" ] then echo "FOUND..." else echo "NOT FOUND! Edit script or install 'mail' binaries..." echo "Exiting..." exit 1 fi #path to 'sendmail' executable echo "Checking for '/usr/sbin/sendmail'..." if [ -f "/usr/sbin/sendmail" ] then echo "FOUND..." else echo "NOT FOUND! Edit script or install 'sendmal' binaries..." exit 1 fi echo echo "'autoabuse' initialized and waiting..." echo #set initial vars #do not change this one KIDDIE_IP=0 #your email adress: copies of abuse mails and error mails will be sent here BLINDMAIL=nme@myrealbox.com while [ 1 ] do while [ ! `tail -n 1 /var/log/messages | grep ":27374" | awk '{print $12}'` ] do #echo "No incoming portscans...sleeping." sleep 4 done if [ -z `tail -n 1 /var/log/messages | grep ":27374" | awk '{print $12}'` ] then echo else if [ `tail -n 1 /var/log/messages | grep ":27374" | awk '{print $12}'` = $KIDDIE_IP ] then #output if an IP has been reported somehow #echo "Already reported: $KIDDIE_IP" sleep 4 continue fi #A NEW IP WAS DETECTED, START PARSING #MAINLY SELF EXPLAINING FULLLOG=`tail -n 1 /var/log/messages` TIME=`tail -n 1 /var/log/messages | awk '{print $1,$2,$3}'` KIDDIE_IP=`tail -n 1 /var/log/messages | awk '{print $12}'` OWN_IP=`tail -n 1 /var/log/messages | awk '{print $13}'` echo "SCANNED: from $KIDDIE_IP -> $OWN_IP on $TIME" PARSED_IP=`tail -n 1 /var/log/messages | awk '{print $12}' | sed -e 's,:.*,,'` echo echo "query RIPE database...." SCAN_FROM=`whois -h whois.ripe.net $PARSED_IP | grep "descr:" | awk '{print $2,$3,$4,$5,$6,$7}'` echo echo "attacker $PARSED_IP uses:" echo "$SCAN_FROM" ABUSEMAIL=`whois -h whois.ripe.net $PARSED_IP | awk '{print $2}' | grep "abuse@"` echo echo "abuse mail adress is:" echo "$ABUSEMAIL" echo #!!!!there seems to be an error with the domain 't-ipnet.de'!!!! #so watch out for updates!!!! if [ -z $ABUSEMAIL ] then echo "ERROR! Cannot find abuse-contact!" EMAILS=`whois -h whois.ripe.net $PARSED_IP | grep "e-mail:" | awk '{print $2}'` #ERROR MAIL MESSAGE IF ABUSE CONTACT COULD NOT BE IDENTIFIED echo "Hello Admin!" >> abusemail.txt echo >> abusemail.txt echo "I have been scanned on $TIME by $KIDDIE_IP to $OWN_IP ." >> abusemail.txt echo "Using:" >> abusemail.txt echo "$SCAN_FROM" >> abusemail.txt echo >> abusemail.txt echo "And I could not find an abuse contact." >> abusemail.txt echo "But I found these mail contacts:" >> abusemail.txt echo >> abusemail.txt echo $EMAILS >> abusemail.txt echo >> abusemail.txt echo "Why don't you check the script?" >> abusemail.txt echo >> abusemail.txt echo "CU" >> abusemail.txt echo mail -s "Incoming Portscan" $BLINDMAIL > abusemail.txt echo "---- by 'autoabuse' v0.1 ----" >> abusemail.txt echo >> abusemail.txt echo "----DIES IST EINE AUTOMATISCH GENERIERTE MAIL----" >> abusemail.txt echo "---- von 'autoabuse' v0.1 ----" >> abusemail.txt echo >> abusemail.txt echo >> abusemail.txt #this script is run as root, we have to tell abuse contact where #to send answers echo "REPLY TO : nme@myrealbox.com" >> abusemail.txt echo "ANTWORT AN: nme@myrealbox.com" >> abusemail.txt echo >> abusemail.txt echo "Sehr geehrte Damen und Herren," >> abusemail.txt echo >> abusemail.txt echo "einer Ihrer Dial-Up User hat zum wiederholten Male versucht" >> abusemail.txt echo "auf meinen Rechner Zugriff zu erlangen. Hier die Daten meiner" >> abusemail.txt echo "Firewall:">> abusemail.txt echo >> abusemail.txt echo "Time: ---$TIME--- HackersIP: $KIDDIE_IP tried to access: $OWN_IP" >> abusemail.txt echo >> abusemail.txt echo $FULLLOG >> abusemail.txt echo >> abusemail.txt echo "Eine 'whois' Abfrage in der RIPE Datenbank ergab, dass die 'Hacker'-IP" >> abusemail.txt echo >> abusemail.txt echo "$PARSED_IP" >> abusemail.txt echo "zu" >> abusemail.txt echo >> abusemail.txt echo "$SCAN_FROM" >> abusemail.txt echo >>abusemail.txt echo "gehoert. Des Weiteren ist in der RIPE Datenbank $ABUSEMAIL als 'abuse'" >> abusemail.txt echo "Mailaddresse angegeben." >> abusemail.txt echo "Ich bitte Sie, den Vorgang zu verfolgen und" >> abusemail.txt echo "mich ueber Ihre Fortschritte zu informieren." >> abusemail.txt echo >> abusemail.txt echo "Sollten Sie entegen der Aussage der RIPE Datenbank nicht zustaendig" >> abusemail.txt echo "sein, leiten Sie diese eMail bitte an die zustaendige Stelle weiter." >> abusemail.txt echo >> abusemail.txt echo "Vielen Dank fuer Ihre Muehe!" >> abusemail.txt echo >> abusemail.txt echo "Mit freundlichem Gruss," >> abusemail.txt echo "nme" >> abusemail.txt echo "nme@myrealbox.com" >> abusemail.txt echo >> abusemail.txt echo "----------------------------------------" >> abusemail.txt echo "using 'autoabuse v0.1'" >> abusemail.txt echo "by nme in June 2001" >> abusemail.txt echo "http://autoabuse.tripod.com" >> abusemail.txt echo >> abusemail.txt mail -s "Report hack attempt / Meldung Hackversuch" -b $BLINDMAIL $ABUSEMAIL < abusemail.txt sleep 4 echo "sending email..." sendmail -q echo "deleting temp file..." echo rm abusemail.txt fi done #eof