#!/bin/sh ########################################################################## # autoabuse v0.11 by nme 06/2001 # # contact: nme@myrealbox.com # # this script is FREE for non-comercial and NON-GOVERNMENTAL use! # if you are member of a government or a governmental organisation # (police, etc) the use of this script is strictly forbidden!!!!!! # write your own.... # # all others: feel free to copy, modify, mv autoabuse /dev/null, # stick on your head, flush down the toilet or *whatever* this script. # # # WHAT THIS SCRIPT DOES # # autoabuse scans the last line of the default firewall log # (/var/log/messages) for # incoming connects to port 27374 (sub7) and contacts whois.ripe.net # to identify ISP of the scanning script kiddie. abuse contact is # being parsed from whois answer and an email is being sent to # abuse@script-kiddies-ISP.xy which hopefully makes the ISP kick # the kiddie. har har (i am baaad) # # INSTALLING AND RUNNING: # # -this script has to be run as 'root' (i know... save your breath) # -you need to have 'mail' , 'whois'and 'sendmail' binaries installed # -copy into any directory !!with write permissions!! # and run ./autoabuse # # BUGS AND DISCLAIMER: # # v0.1 BETA! # as every beta version, autoabuse comes with ABSOLUTELY NO WARRANTY # or support! RUN THIS SCRIPT OWN YOUR OWN RISK !!! I CANNOT BE HELD # responsible for any damage to hardware and / or software and / or data # on your harddisk. NEVER TRUST SCRIPTS :) check what they do. # # -this version of autoabuse only supports/and has been tested with # german provider t-Online, which hosts most of the script kiddies # (DSL flat kiddies). it MAY work with others too # -feel free to complete this script. INFORM ME OF YOUR UPDATES :) # # # LAST NOT LEAST: DO NOT ARGUE ON HOW STUPID AND AMATEUR LIKE THIS # SCRIPT IS. DON'T COMPLAIN, DO BETTER! (and send me :P ) ########################################################################### # updates: # # -abuse@t-ipnet.de seems to be down, as usual, reports to this email are # forwared to abuse@t-online.de so lets do the same :) #THIS VAR MUST BE >0 TO MAKE SURE U CHECKED THE SCRIPT BEFORE RUNNING CHECKED=1 if [ $CHECKED -le 0 ] then echo "PLEASE CHECK THE SCRIPT." echo "'CHECKED' MUST BE >0" exit 1 fi #set initial vars #do not change this one KIDDIE_IP=0 #your email adress: copies of abuse mails and error mails will be sent here BLINDMAIL=nme@myrealbox.com #version info VERSION="autoabuse v0.11" HOME="http://autoabuse.tripod.com" echo echo "$VERSION, created by nme in June 2001" echo "contact author: nme@myrealbox.com" echo "$HOME" echo "non-comercial and non-governmental version." echo "-supports queries for T-Online" echo "-supports queries for T-Online DSL" echo echo "$VERSION started." #sssshhht, don't touch this :) sleep 2 echo "Checking for '/usr/bin/whois'..." #path to 'whois' executable if [ -f "/usr/bin/whois" ] then echo "FOUND..." else echo "NOT FOUND! Edit script or install 'whois' binaries..." echo "Exiting..." exit 1 fi #path to 'mail' executable echo "Checking for '/usr/bin/mail'..." if [ -f "/usr/bin/mail" ] then echo "FOUND..." else echo "NOT FOUND! Edit script or install 'mail' binaries..." echo "Exiting..." exit 1 fi #path to 'sendmail' executable echo "Checking for '/usr/sbin/sendmail'..." if [ -f "/usr/sbin/sendmail" ] then echo "FOUND..." else echo "NOT FOUND! Edit script or install 'sendmal' binaries..." exit 1 fi echo echo "'$VERSION' initialized and waiting..." echo while [ 1 ] do while [ ! `tail -n 1 /var/log/messages | grep ":27374" | awk '{print $12}'` ] do #echo "No incoming portscans...sleeping." sleep 4 done if [ -z `tail -n 1 /var/log/messages | grep ":27374" | awk '{print $12}'` ] then echo else if [ `tail -n 1 /var/log/messages | grep ":27374" | awk '{print $12}'` = $KIDDIE_IP ] then #output if an IP has been reported somehow #echo "Already reported: $KIDDIE_IP" sleep 4 continue fi #A NEW IP WAS DETECTED, START PARSING #MAINLY SELF EXPLAINING FULLLOG=`tail -n 1 /var/log/messages` TIME=`tail -n 1 /var/log/messages | awk '{print $1,$2,$3}'` KIDDIE_IP=`tail -n 1 /var/log/messages | awk '{print $12}'` OWN_IP=`tail -n 1 /var/log/messages | awk '{print $13}'` echo "SCANNED: from $KIDDIE_IP -> $OWN_IP on $TIME" PARSED_IP=`tail -n 1 /var/log/messages | awk '{print $12}' | sed -e 's,:.*,,'` echo echo "query RIPE database...." SCAN_FROM=`whois -h whois.ripe.net $PARSED_IP | grep "descr:" | awk '{print $2,$3,$4,$5,$6,$7}'` echo echo "attacker $PARSED_IP uses:" echo "$SCAN_FROM" ABUSEMAIL=`whois -h whois.ripe.net $PARSED_IP | awk '{print $2}' | grep "abuse@"` echo echo "abuse mail adress is:" echo "$ABUSEMAIL" echo if [ $ABUSEMAIL = "abuse@t-ipnet.de" ] then if [ `ping -c 1 t-ipnet.de` = "ping: unknown host: t-ipnet.de" ] then echo "$ABUSEMAIL STILL unreachable, setting ABUSEMAIL to abuse@t-online.de" echo ABUSEMAIL=abuse@t-online.de fi fi if [ -z $ABUSEMAIL ] then echo "ERROR! Cannot find abuse-contact!" EMAILS=`whois -h whois.ripe.net $PARSED_IP | grep "e-mail:" | awk '{print $2}'` #ERROR MAIL MESSAGE IF ABUSE CONTACT COULD NOT BE IDENTIFIED echo "Hello Admin!" >> abusemail.txt echo >> abusemail.txt echo "I have been scanned on $TIME by $KIDDIE_IP to $OWN_IP ." >> abusemail.txt echo "Using:" >> abusemail.txt echo "$SCAN_FROM" >> abusemail.txt echo >> abusemail.txt echo "And I could not find an abuse contact." >> abusemail.txt echo "But I found these mail contacts:" >> abusemail.txt echo >> abusemail.txt echo $EMAILS >> abusemail.txt echo >> abusemail.txt echo "Why don't you check the script?" >> abusemail.txt echo >> abusemail.txt echo "CU" >> abusemail.txt echo mail -s "Incoming Portscan" $BLINDMAIL > abusemail.txt echo "---- by '$VERSION' ----" >> abusemail.txt echo >> abusemail.txt echo "----DIES IST EINE AUTOMATISCH GENERIERTE MAIL----" >> abusemail.txt echo "---- von '$VERSION' ----" >> abusemail.txt echo >> abusemail.txt echo >> abusemail.txt #this script is run as root, we have to tell abuse contact where #to send answers echo "REPLY TO : nme" >> abusemail.txt echo "ANTWORT AN: nme" >> abusemail.txt echo >> abusemail.txt echo "Sehr geehrte Damen und Herren," >> abusemail.txt echo >> abusemail.txt echo "einer Ihrer Dial-Up User hat zum wiederholten Male versucht" >> abusemail.txt echo "auf meinen Rechner Zugriff zu erlangen. Hier die Daten meiner" >> abusemail.txt echo "Firewall:">> abusemail.txt echo >> abusemail.txt echo "Time: ---$TIME--- HackersIP: $KIDDIE_IP tried to access: $OWN_IP" >> abusemail.txt echo >> abusemail.txt echo $FULLLOG >> abusemail.txt echo >> abusemail.txt echo "Eine 'whois' Abfrage in der RIPE Datenbank ergab, dass die 'Hacker'-IP" >> abusemail.txt echo >> abusemail.txt echo "$PARSED_IP" >> abusemail.txt echo "zu" >> abusemail.txt echo >> abusemail.txt echo "$SCAN_FROM" >> abusemail.txt echo >>abusemail.txt echo "gehoert." >> abusemail.txt echo >> abusemail.txt echo "Ich bitte Sie, den Vorgang zu verfolgen und" >> abusemail.txt echo "mich ueber Ihre Fortschritte zu informieren." >> abusemail.txt echo >> abusemail.txt echo "Sollten Sie ( $ABUSEMAIL ) fuer diesen Vorgang nicht zustaendig sein," >> abusemail.txt echo "leiten Sie diese eMail bitte an die entsprechende Stelle weiter." >> abusemail.txt echo >> abusemail.txt echo "Vielen Dank fuer Ihre Muehe!" >> abusemail.txt echo >> abusemail.txt echo "Mit freundlichem Gruss," >> abusemail.txt echo "nme" >> abusemail.txt echo "nme@blah.com" >> abusemail.txt echo >> abusemail.txt echo "----------------------------------------" >> abusemail.txt echo "using '$VERSION'" >> abusemail.txt echo "by nme in June 2001" >> abusemail.txt echo "$HOME" >> abusemail.txt echo >> abusemail.txt mail -s "Report hack attempt / Meldung Hackversuch" -b $BLINDMAIL $ABUSEMAIL < abusemail.txt sleep 4 echo "sending email..." sendmail -q echo "deleting temp file..." echo rm abusemail.txt fi done #eof