# D:\Perl\Bin\Perl.exe
# Script to check IIS Logs for Code Red Default.ida requests

# Defined Variables

# Location of IIS Logs
$loglocation = '\\\\IISServer\\Admin$\\System32\\LogFiles\\w3svc1\\';

# Number Of The Char where the IP Starts.
# example
#    12:55:39 200.168.146.167 GET /default.ida 500
#    0123456789
# The Starting Char is 9 :)
$ipstartnumber = '9';

opendir(IISLOG, $loglocation) or die "Unable to read IIS Logs $!\n";
@loglisting = readdir IISLOG;
closedir IISLOG;

foreach(@loglisting) {
	$UNCPathName = $loglocation . $_;
	open(logfile, $UNCPathName);
	@workinglog = <logfile>;
	foreach(@workinglog) {
		$coderedtwo++ if ($_ =~ /XXXXXXXXXXXXX/);
		$coderedone++ if ($_ =~ /NNNNNNNNNNNNN/);
		$coderedeeye++ if ($_ =~ /AAAAAAAAAAAA/);
		if($_ =~ /default.ida/) {		
			$coderedcount++;
			$callingip = substr($_,$ipstartnumber,14);
			# Take out all lowercase a - z
			$callingip =~ s/[a-z]//g;	
			# Take Out all Upper Case A-Z
			$callingip =~ s/[A-Z]//g;
			# Take Out all Blank Spaces
			$callingip =~ s/ //g;
			push(@IPs, $callingip);
		}
	}
}
@IPs = sort(@IPs);
push(@UniqueIPs, $IPs[0]);
$previp = $IPs[0];
foreach(@IPs) {
	if($_ ne $previp) {
		$previp = $_;
		push(@UniqueIPs, $_);
		$ipcount++;
	}
	
}
print "Total Code Red Queries: $coderedcount\nTotal Code Red I Queries: $coderedone\nTotal Code Red II Queries: $coderedtwo\n";
print "Total Code Red Eeye Checks: $coderedeeye\n";
print "Total Unique IPs: $ipcount\n";
foreach(@UniqueIPs) {
	print "$_\n";
}