From owner-FreeBSD-users-jp@jp.freebsd.org  Wed Aug 15 12:22:18 2001
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id MAA86861;
	Wed, 15 Aug 2001 12:22:18 +0900 (JST)
	(envelope-from owner-FreeBSD-users-jp@jp.FreeBSD.org)
Received: from bronze.ocn.ne.jp (bronze.ocn.ne.jp [203.139.160.176])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id MAA86856
	for <FreeBSD-users-jp@jp.freebsd.org>; Wed, 15 Aug 2001 12:22:18 +0900 (JST)
	(envelope-from ib7y-nmr@asahi-net.or.jp)
Received: from dali (p117-dna07yonago.tottori.ocn.ne.jp [61.113.222.117])
	by bronze.ocn.ne.jp (8.9.1a/OCN/) with SMTP id MAA06665
	for <FreeBSD-users-jp@jp.freebsd.org>; Wed, 15 Aug 2001 12:22:17 +0900 (JST)
Message-ID: <001901c12539$7c51be20$4d3588d2@feelu.jp>
From: "nomura yukiaki" <ib7y-nmr@asahi-net.or.jp>
To: <FreeBSD-users-jp@jp.freebsd.org>
References: <20010802020856.20323@mail.ca2.so-net.ne.jp> <20010805145715.29038@mail.ca2.so-net.ne.jp>
Date: Wed, 15 Aug 2001 12:21:55 +0900
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_0016_01C12584.DF00B1C0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6700
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700
Reply-To: FreeBSD-users-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+010328
X-Sequence: FreeBSD-users-jp 63537
Subject: [FreeBSD-users-jp 63537] Re: code red 2
Errors-To: owner-FreeBSD-users-jp@jp.freebsd.org
Sender: owner-FreeBSD-users-jp@jp.freebsd.org
X-Originator: ib7y-nmr@asahi-net.or.jp

This is a multi-part message in MIME format.

------=_NextPart_000_0016_01C12584.DF00B1C0
Content-Type: text/plain;
	charset="iso-2022-jp"
Content-Transfer-Encoding: 7bit

$BLnB<$G$9!#(B

$B2?;~$^$G$?$C$F$b%Q%C%A$rEv$F$J$$%5!<%P!<$,$"$k(B
$B$N$G!"(BCodeRed$B$K46@w$7$F$$$k%5!<%P!<$N0lMw$r=PNO$9$k(B
RubyScript$B$r:n@.$7$F$_$^$7$?!#(B

$BBg<jDL?.2q<R$NL>A0$,=P$F$-$?$j$7$F$H$F$b6=L#(B
$B?<$$$G$9(B:-)

Apache$B$N%m%0$r;XDj$9$k$3$H$G<!$N$h$&$K=PNO$7$^$9!#(B

                         :
[CodeRed2] Name:    h41-210-64-186.seed.net.tw Address:  210.64.186.41
[CodeRed2] Name:    g122162.ap.pXXXa.or.jp Address:  210.136.122.162
[CodeRed2] Name:    h28-210-66-114.seed.net.tw Address:  210.66.114.28
[CodeRed2] Name:    u104.d018166210.XXX.ne.jp Address:  210.166.18.104
[CodeRed2] Name:    g136221.ap.pXXXa.or.jp Address:  210.136.136.221
[CodeRed2] Name:    cj3181839-a.sugnm1.kt.hXXX.ne.jp Address:  210.20.24.172
[CodeRed2] Name:    g136221.ap.pXXXa.or.jp Address:  210.136.136.221
[CodeRed2] Name:    g123058.ap.pXXXa.or.jp Address:  210.136.123.58
[CodeRed ] Name:    24161233hfc59.tampabay.rr.com Address:  24.161.233.59
[CodeRed2] Name:    h146-210-68-202.yuken.com.tw Address:  210.68.202.146
[CodeRed2] Name:    h93-210-243-204.seed.net.tw Address:  210.243.204.93
[CodeRed ] Name:    winkor.com Address:  211.36.14.61
[CodeRed ] Name:    crtntx1-ar9-185-202.crtntx1.dsl.gtei.net Address:
4.43.185.202
[CodeRed2] Name:    sagami143025.allnet.ne.jp Address:  210.251.143.25
[CodeRed2] Name:    g122083.ap.pXXXa.or.jp Address:  210.136.122.83
[CodeRed2] Name:    g123058.ap.pXXXa.or.jp Address:  210.136.123.58
[CodeRed2] Name:    g123058.ap.pXXXa.or.jp Address:  210.136.123.58
[CodeRed2] Name:    g123058.ap.pXXXa.or.jp Address:  210.136.123.58
[CodeRed2] Name:    pl231.nas921.a-nagoya.nttpc.ne.jp Address:
210.165.122.231
[CodeRed2] Name:    g071036.ap.pXXXa.or.jp Address:  210.136.71.36
[CodeRed2] Name:    g062177.ap.pXXXa.or.jp Address:  210.136.62.177
[CodeRed2] Name:    b056194.ap.pXXXa.or.jp Address:  210.165.56.194
[CodeRed2] Name:    tinhangtech.com Address:  210.177.149.65
[CodeRed2] Name:    g071036.ap.pXXXa.or.jp Address:  210.136.71.36
[CodeRed2] Name:    h129-210-68-245.seed.net.tw Address:  210.68.245.129
[CodeRed ] Name:    balford Address:  143.236.25.98
[CodeRed2] Name:    dyn-52-98.corp.mypoints.com Address:  209.141.52.98
                         :
$B!J0lItIz;z!K(B


------=_NextPart_000_0016_01C12584.DF00B1C0
Content-Type: application/octet-stream;
	name="crsvr.rb"
Content-Disposition: attachment;
	filename="crsvr.rb"
Content-Transfer-Encoding: quoted-printable

#!/usr/local/bin/ruby=0A=
=0A=
# CodeRed Log Filter for Apache Log       2001.08.15=0A=
#                                          Ruby1.6.4=0A=
#                                         =0A=
# USAGE: ruby crsvr.rb <httpd-access.log>=0A=
=0A=
	$log_file =3D ARGV.shift=0A=
=0A=
	$text =3D open($log_file);=0A=
=0A=
	$text.each do |$line|=0A=
		if $line=3D~/ida/ then=0A=
			$ip =3D $line.split(" ")[0]=0A=
			##print($ip + "\n")=0A=
			$lookup =3D `nslookup #{$ip} 2>null`=0A=
			if $lookup =3D~/Name:/ then=0A=
				$lookup =3D $lookup.gsub(/\n/," ")=0A=
				$lookup =3D $lookup.gsub(/Server:.*Name:/,"Name:")=0A=
				if $line=3D~/NNNNNNN/ then=0A=
					print "[CodeRed ] "=0A=
				elsif $line=3D~/XXXXXX/ then=0A=
					print "[CodeRed2] "=0A=
				else=0A=
					print "[CodeRed?] "=0A=
				end=0A=
				puts($lookup)=0A=
			end=0A=
		end=0A=
	end=0A=
=0A=
=0A=
=0A=

------=_NextPart_000_0016_01C12584.DF00B1C0--

