Find Nimda/Code Red exploits in your error log

These were bugs that were fixed years ago, but some people still haven't patched their systems against them. The tell-tale sign of Nimda/Code Red trying to get into your system is a string like C:\winnt\system32\cmd.exe showing up a lot in your error logs. This snippet searches your log for "cmd.exe" and adds the offender's IP address to a hash. This snippet is in use at http://www.wumpus-cave.net/idiots.cgi.

Edited: 16 Jun 2003, by footpad: Fixed Nimda spelling errors.

use constant ERR_LOG => '/var/log/httpd-error.log';

sub get_idiots
{
        open(FH, '<', ERR_LOG) or die "Can't open " . ERR_LOG . ": $!\
+n";

        my %idiots;
        while(my $line = <FH>) {
                next unless $line =~ /cmd\.exe/;

                chomp $line;
                $line =~ /\[client ([^\]]+)\]/;
                $idiots{$1} = 1;
        }

        close(FH);

        return %idiots;
}
[download]

Comment on Find Nimda/Code Red exploits in your error log Select or Download Code