Hello, On Wed, 16 Sep 2009, Chuck Payne wrote:
Guys,
I been doing a search on net for common log errors that show attacks. I am working on a script to put information from my logs to check for attacks, here are three I got. Does anyone know were I can find more, or can you recommend a string for me to search for?
"for SSH attacks"; `grep 'Invalid user' /var/log/messages | awk
'{ print $10 }' | grep '[0-9]' | sort | uniq` ;
awk '/Invalid user/ && $10 ~ /[0-9]/ {print $10;}' \ /var/log/messages | sort -u
"for Pop attacks..."; `grep "\-ERR \[AUTH\]" /var/log/mail | awk '{
print $9 }' | sed 's/(//g' | sed 's/)://g' | sort | uniq`
awk '/-ERR [AUTH]/ { gsub("(","",$9); gsub("):","",$9); print $9; }' /var/log/mail | sort -u
"for Storm Worm"; `grep "smtpd_peer_init" /var/log/mail | awk '{
print $8 }' | sed 's/://g' | sort -u`
awk '/smtpd_peer_init/ { gsub(":", "", $8); print $8; }' \ /var/log/mail | sort -u
"for Spammer checking accounts" grep 'Recipient address rejected' mail.log |
awk '{ print $10 }'
awk '/Recipient address rejected/ { print $10; }' mail.log
for ftp grep -i 'no such user'
/var/log/proftpd/proftpd.log | awk '{ print $7 }' | cut -d[ -f2 | cut -d] -f1 | sed 's/::ffff://g' |sort | uniq
awk 'BEGIN { IGNORECASE=1; } /no such user/ { $7 = gensub(/^.*[([^]]*)].*$/,"\1",1,$7); gsub("::ffff:","",$7); print $7; }' /var/log/proftpd/proftpd.log | sort -u or even easier: awk 'BEGIN { IGNORECASE=1; FS="[][ ]";} /no such user/ { gsub("::ffff:","",$10); print $10; }' /var/log/proftpd/proftpd.log | sort -u HTH, -dnh -- Bug: An elusive creature living in a program that makes it incorrect. The activity of "debugging," or removing bugs from a program, ends when people get tired of doing it, not when the bugs are removed. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org