Quickly written perl script to check your IIS Server logs for code red activity. It'll return how many are form code red I, code red II and how many scans using the eeye security vulernability scanner, as well as the number of unique IPs scanned you, includng a full listing.
# D:\Perl\Bin\Perl.exe
# Script to check IIS Logs for Code Red Default.ida requests
# Defined Variables
# Location of IIS Logs
$loglocation = '\\\\IISServer\\Admin$\\System32\\LogFiles\\w3svc1\\';
# Number Of The Char where the IP Starts.
# example
# 12:55:39 200.168.146.167 GET /default.ida 500
# 0123456789
# The Starting Char is 9 :)
$ipstartnumber = '9';
opendir(IISLOG, $loglocation) or die "Unable to read IIS Logs $!\n";
@loglisting = readdir IISLOG;
closedir IISLOG;
foreach(@loglisting) {
$UNCPathName = $loglocation . $_;
open(logfile, $UNCPathName);
@workinglog = <logfile>;
foreach(@workinglog) {
$coderedtwo++ if ($_ =~ /XXXXXXXXXXXXX/);
$coderedone++ if ($_ =~ /NNNNNNNNNNNNN/);
$coderedeeye++ if ($_ =~ /AAAAAAAAAAAA/);
if($_ =~ /default.ida/) {
$coderedcount++;
$callingip = substr($_,$ipstartnumber,14);
# Take out all lowercase a - z
$callingip =~ s/[a-z]//g;
# Take Out all Upper Case A-Z
$callingip =~ s/[A-Z]//g;
# Take Out all Blank Spaces
$callingip =~ s/ //g;
push(@IPs, $callingip);
}
}
}
@IPs = sort(@IPs);
push(@UniqueIPs, $IPs[0]);
$previp = $IPs[0];
foreach(@IPs) {
if($_ ne $previp) {
$previp = $_;
push(@UniqueIPs, $_);
$ipcount++;
}
}
print "Total Code Red Queries: $coderedcount\nTotal Code Red I Queries
+: $coderedone\nTotal Code Red II Queries: $coderedtwo\n";
print "Total Code Red Eeye Checks: $coderedeeye\n";
print "Total Unique IPs: $ipcount\n";
foreach(@UniqueIPs) {
print "$_\n";
}