#!/bin/bash # checklogs.bash - a shell script for parsing the Samba logs # looking for worm or virus activity. If found, it's written # to a log that is emailed to me hourly. # Written by Paul Schmehl - 6/10/2002 # Tweaked and maintained by Russ Cluett # set some variables sambalogs=/usr/local/samba/logs/*.log alerts=/home/alert.log touch $alerts # loop through each log looking for worms and viruses # and write to the alert.log if any are found for log in $sambalogs; do chmod 770 $log if [ -f $log ]; then counter=0 funlove=`cat $log | grep -ci "find service ntldr"` if [ $? == 0 ]; then echo "Funlove hits = $funlove." >> $alerts counter=`expr $counter + 1` fi Opaserv=`cat $log | grep -ci "instit.bat read=yes write=yes"` if [ $? == 0 ]; then echo "Opaserv hits = $Opaserv." >> $alerts counter=`expr $counter + 1` fi nimda=`cat $log | grep -ci "\.eml read=No write=Yes"` if [ $? == 0 ]; then echo "Nimda hits = $nimda." >> $alerts counter=`expr $counter + 1` fi nimdaa=`cat $log | grep -ci "\.eml failed"` if [ $? == 0 ]; then echo "Nimda a hits = $nimdaa." >> $alerts counter=`expr $counter + 1` fi qaz=`cat $log | grep -ci NOTE.COM` if [ $? == 0 ]; then echo "Qaz hits = $qaz." >> $alerts counter=`expr $counter + 1` fi sircam=`cat $log | grep -ci "RECYCLED/SIRC32.EXE"` if [ $? == 0 ]; then echo "Sircam hits = $sircam." >> $alerts counter=`expr $counter + 1` fi klez=`cat $log | grep -ci "size 4 would overrun buffer"` if [ $? == 0 ]; then echo "Klez hits = $klez." >> $alerts counter=`expr $counter + 1` fi kleza=`cat $log | grep -ci "\.rar read=Yes write=Yes"` if [ $? == 0 ]; then echo "Klez a hits = $kleza." >> $alerts counter=`expr $counter + 1` fi elkern=`cat $log | grep -ci "\.exe read=Yes write=Yes"` if [ $? == 0 ]; then echo "Elkern hits = $elkern." >> $alerts counter=`expr $counter + 1` fi bugbear=`cat $log | grep -ci "couldn't find service \$c"` if [ $? == 0 ]; then echo "BugBear hits = $bugbear." >> $alerts counter=`expr $counter + 1` fi bugbearB=`cat $log | grep -ci "winzip32.exe failed"` if [ $? == 0 ]; then echo "BugBearB hits = $bugbearB." >> $alerts counter=`expr $counter + 1` fi bugbearB=`cat $log | grep -ci "kazaa.exe failed"` if [ $? == 0 ]; then echo "BugBearB hits = $bugbearB." >> $alerts counter=`expr $counter + 1` fi bugbearB=`cat $log | grep -ci "Icq.exe failed"` if [ $? == 0 ]; then echo "BugBearB hits = $bugbearB." >> $alerts counter=`expr $counter + 1` fi bugbearB=`cat $log | grep -ci "DAP.exe failed"` if [ $? == 0 ]; then echo "BugBearB hits = $bugbearB." >> $alerts counter=`expr $counter + 1` fi bugbearB=`cat $log | grep -ci "winamp.exe failed"` if [ $? == 0 ]; then echo "BugBearB hits = $bugbearB." >> $alerts counter=`expr $counter + 1` fi bugbearB=`cat $log | grep -ci "aim.exe failed"` if [ $? == 0 ]; then echo "BugBearB hits = $bugbearB." >> $alerts counter=`expr $counter + 1` fi opaserv=`cat $log | grep -ci "scrsvr.exe read=Yes write=Yes"` if [ $? == 0 ]; then echo "Opaserv hits = $opaserv." >> $alerts counter=`expr $counter + 1` fi opaserv=`cat $log | grep -ci "brasil.exe read=Yes write=Yes"` if [ $? == 0 ]; then echo "Opaserv hits = $opaserv." >> $alerts counter=`expr $counter + 1` fi opaserv=`cat $log | grep -ci "brasil.pif.exe read=Yes write=Yes"` if [ $? == 0 ]; then echo "Opaserv hits = $opaserv." >> $alerts counter=`expr $counter + 1` fi opaserv=`cat $log | grep -ci "alevir.exe read=Yes write=Yes"` if [ $? == 0 ]; then echo "Opaserv hits = $opaserv." >> $alerts counter=`expr $counter + 1` fi opaserv=`cat $log | grep -ci "marco!.scr read=Yes write=Yes"` if [ $? == 0 ]; then echo "Opaserv hits = $opaserv." >> $alerts counter=`expr $counter + 1` fi opaserv=`cat $log | grep -ci "puta!!.exe read=Yes write=Yes"` if [ $? == 0 ]; then echo "Opaserv hits = $opaserv." >> $alerts counter=`expr $counter + 1` fi opaserv=`cat $log | grep -ci "srv32.exe read=Yes write=Yes"` if [ $? == 0 ]; then echo "Opaserv hits = $opaserv." >> $alerts counter=`expr $counter + 1` fi opaserv=`cat $log | grep -ci "mstask.exe.exe read=Yes write=Yes"` if [ $? == 0 ]; then echo "Opaserv hits = $opaserv." >> $alerts counter=`expr $counter + 1` fi opaserv=`cat $log | grep -ci "mqbkup.exe read=Yes write=Yes"` if [ $? == 0 ]; then echo "Opaserv hits = $opaserv." >> $alerts counter=`expr $counter + 1` fi acebot1=`cat "$log" | grep -ci "mssg.exe read=Yes write=Yes"` if [ $? == 0 ]; then echo "Acebot (mssg) hits = $acebot1." >> $alerts counter=`expr $counter + 1` fi acebot2=`cat "$log" | grep -ci "tssg.exe read=Yes write=Yes"` if [ $? == 0 ]; then echo "Acebot (tssg) hits = $acebot2." >> $alerts counter=`expr $counter + 1` fi acebot3=`cat "$log" | grep -ci "ffen.exe read=Yes write=Yes"` if [ $? == 0 ]; then echo "Acebot (ffen) hits = $acebot3." >> $alerts counter=`expr $counter + 1` fi ultimaxa=`cat "$log" | grep -ci "rdvs.exe read=Yes write=Yes"` if [ $? == 0 ]; then echo "Ultimax (rdvs) hits = $ultimaxa." >> $alerts counter=`expr $counter + 1` fi ultimaxb=`cat "$log" | grep -ci "rrddvvss.exe read=Yes write=Yes"` if [ $? == 0 ]; then echo "Ultimax (rrddvvss) hits = $ultimaxb." >> $alerts counter=`expr $counter + 1` fi changemod=`cat $log | grep -ci "(Operation not permitted)"` if [ $? == 0 ]; then echo "CHMOD hits = $changemod." >> $alerts counter=`expr $counter + 1` fi explore_zip=`cat $log | grep -ci "_setup.exe"` if [ $? == 0 ]; then echo "Expllore_Zip hits = $explore_zip." >> $alerts counter=`expr $counter + 1` fi sobig=`cat $log | grep -ci "Movie_0074.mpeg.pif"` if [ $? == 0 ]; then echo "sobig hits = $sobig." >> $alerts counter=`expr $counter + 1` fi sobig=`cat $log | grep -ci "Document003.pif"` if [ $? == 0 ]; then echo "sobig hits = $sobig." >> $alerts counter=`expr $counter + 1` fi sobig=`cat $log | grep -ci "Untitledl.pif"` if [ $? == 0 ]; then echo "sobig hits = $sobig." >> $alerts counter=`expr $counter + 1` fi sobig=`cat $log | grep -ci "Sample.pif"` if [ $? == 0 ]; then echo "sobig hits = $sobig." >> $alerts counter=`expr $counter + 1` fi sobig=`cat $log | grep -ci "couldn't find service c$"` if [ $? == 0 ]; then echo "sobig hits = $sobig." >> $alerts counter=`expr $counter + 1` fi sobig=`cat $log | grep -ci "details.pif"` if [ $? == 0 ]; then echo "sobig hits = $sobig." >> $alerts counter=`expr $counter + 1` fi sobig=`cat $log | grep -ci "45443.pif"` if [ $? == 0 ]; then echo "sobig hits = $sobig." >> $alerts counter=`expr $counter + 1` fi sobig=`cat $log | grep -ci "application.pi"` if [ $? == 0 ]; then echo "sobig hits = $sobig." >> $alerts counter=`expr $counter + 1` fi sobig=`cat $log | grep -ci "approved.pi"` if [ $? == 0 ]; then echo "sobig hits = $sobig." >> $alerts counter=`expr $counter + 1` fi sobig=`cat $log | grep -ci "document.pif"` if [ $? == 0 ]; then echo "sobig hits = $sobig." >> $alerts counter=`expr $counter + 1` fi sobig=`cat $log | grep -ci "documents.pif"` if [ $? == 0 ]; then echo "sobig hits = $sobig." >> $alerts counter=`expr $counter + 1` fi sobig=`cat $log | grep -ci "movie.pif"` if [ $? == 0 ]; then echo "sobig hits = $sobig." >> $alerts counter=`expr $counter + 1` fi sobig=`cat $log | grep -ci "screensaver.sc"` if [ $? == 0 ]; then echo "sobig hits = $sobig." >> $alerts counter=`expr $counter + 1` fi sobig=`cat $log | grep -ci "submited.pif"` if [ $? == 0 ]; then echo "sobig hits = $sobig." >> $alerts counter=`expr $counter + 1` fi UnidentifiedWorm=`cat $log | grep -ci "Documents and Settings/All Users/Start Menu/Programs/Startup"` if [ $? == 0 ]; then echo "UnidentifiedWorm hits = $UnidentifiedWorm." >> $alerts counter=`expr $counter + 1` fi UnidentifiedWorm=`cat $log | grep -ci "/Start Menu/Programs/Startup"` if [ $? == 0 ]; then echo "UnidentifiedWorm hits = $UnidentifiedWorm." >> $alerts counter=`expr $counter + 1` fi LovGate=`cat $log | grep -ci "stg.exe"` if [ $? == 0 ]; then echo "LovGate hits = $LovGate." >> $alerts counter=`expr $counter + 1` fi LovGate=`cat $log | grep -ci "hamster.exe read=No write=Yes"` if [ $? == 0 ]; then echo "LovGate hits = $LovGate." >> $alerts counter=`expr $counter + 1` fi LovGate=`cat $log | grep -ci "SETUP.EXE read=No write=Yes"` if [ $? == 0 ]; then echo "LovGate hits = $LovGate." >> $alerts counter=`expr $counter + 1` fi LovGate=`cat $log | grep -ci "midsong.exe read=No write=Yes"` if [ $? == 0 ]; then echo "LovGate hits = $LovGate." >> $alerts counter=`expr $counter + 1` fi LovGate=`cat $log | grep -ci "PsPGame.exe read=No write=Yes"` if [ $? == 0 ]; then echo "LovGate hits = $LovGate." >> $alerts counter=`expr $counter + 1` fi LovGate=`cat $log | grep -ci "images.exe read=No write=Yes"` if [ $? == 0 ]; then echo "LovGate hits = $LovGate." >> $alerts counter=`expr $counter + 1` fi LovGate=`cat $log | grep -ci "tamagotxi.exe read=No write=Yes"` if [ $? == 0 ]; then echo "LovGate hits = $LovGate." >> $alerts counter=`expr $counter + 1` fi LovGate=`cat $log | grep -ci "news_doc.exe read=No write=Yes"` if [ $? == 0 ]; then echo "LovGate hits = $LovGate." >> $alerts counter=`expr $counter + 1` fi LovGate=`cat $log | grep -ci "docs.exe read=No write=Yes"` if [ $? == 0 ]; then echo "LovGate hits = $LovGate." >> $alerts counter=`expr $counter + 1` fi LovGate=`cat $log | grep -ci "humor.exe read=No write=Yes"` if [ $? == 0 ]; then echo "LovGate hits = $LovGate." >> $alerts counter=`expr $counter + 1` fi LovGate=`cat $log | grep -ci "billgt.exe read=No write=Yes"` if [ $? == 0 ]; then echo "LovGate hits = $LovGate." >> $alerts counter=`expr $counter + 1` fi LovGate=`cat $log | grep -ci "news_doc.exe read=No write=Yes"` if [ $? == 0 ]; then echo "LovGate hits = $LovGate." >> $alerts counter=`expr $counter + 1` fi LovGate=`cat $log | grep -ci "fun.exe read=No write=Yes"` if [ $? == 0 ]; then echo "LovGate hits = $LovGate." >> $alerts counter=`expr $counter + 1` fi LovGate=`cat $log | grep -ci "searchURL.exe read=No write=Yes"` if [ $? == 0 ]; then echo "LovGate hits = $LovGate." >> $alerts counter=`expr $counter + 1` fi LovGate=`cat $log | grep -ci "s3msong.exe read=No write=Yes"` if [ $? == 0 ]; then echo "LovGate hits = $LovGate." >> $alerts counter=`expr $counter + 1` fi LovGate=`cat $log | grep -ci "Card.EXE read=No write=Yes"` if [ $? == 0 ]; then echo "LovGate hits = $LovGate." >> $alerts counter=`expr $counter + 1` fi LovGate=`cat $log | grep -ci "joke.exe read=No write=Yes"` if [ $? == 0 ]; then echo "LovGate hits = $LovGate." >> $alerts counter=`expr $counter + 1` fi LovGate=`cat $log | grep -ci "Are you looking for Love.doc.exe"` if [ $? == 0 ]; then echo "LovGate hits = $LovGate." >> $alerts counter=`expr $counter + 1` fi LovGate=`cat $log | grep -ci "The world of lovers.txt.exe"` if [ $? == 0 ]; then echo "LovGate hits = $LovGate." >> $alerts counter=`expr $counter + 1` fi LovGate=`cat $log | grep -ci "How To Hack Websites.exe"` if [ $? == 0 ]; then echo "LovGate hits = $LovGate." >> $alerts counter=`expr $counter + 1` fi LovGate=`cat $log | grep -ci "Panda Titanium Crack.zip.exe"` if [ $? == 0 ]; then echo "LovGate hits = $LovGate." >> $alerts counter=`expr $counter + 1` fi LovGate=`cat $log | grep -ci "Mafia Trainer!!!.exe"` if [ $? == 0 ]; then echo "LovGate hits = $LovGate." >> $alerts counter=`expr $counter + 1` fi LovGate=`cat $log | grep -ci "100 free essays school.pif"` if [ $? == 0 ]; then echo "LovGate hits = $LovGate." >> $alerts counter=`expr $counter + 1` fi LovGate=`cat $log | grep -ci "AN-YOU-SUCK-IT.txt.pif"` if [ $? == 0 ]; then echo "LovGate hits = $LovGate." >> $alerts counter=`expr $counter + 1` fi LovGate=`cat $log | grep -ci "Sex_For_You_Life.JPG.pif"` if [ $? == 0 ]; then echo "LovGate hits = $LovGate." >> $alerts counter=`expr $counter + 1` fi LovGate=`cat $log | grep -ci "CloneCD + crack.exe"` if [ $? == 0 ]; then echo "LovGate hits = $LovGate." >> $alerts counter=`expr $counter + 1` fi LovGate=`cat $log | grep -ci "Age of empires 2 crack.exe"` if [ $? == 0 ]; then echo "LovGate hits = $LovGate." >> $alerts counter=`expr $counter + 1` fi LovGate=`cat $log | grep -ci "MoviezChannelsInstaler.exe"` if [ $? == 0 ]; then echo "LovGate hits = $LovGate." >> $alerts counter=`expr $counter + 1` fi LovGate=`cat $log | grep -ci "Star Wars II Movie Full Downloader.exe"` if [ $? == 0 ]; then echo "LovGate hits = $LovGate." >> $alerts counter=`expr $counter + 1` fi LovGate=`cat $log | grep -ci "Winrar + crack.exe"` if [ $? == 0 ]; then echo "LovGate hits = $LovGate." >> $alerts counter=`expr $counter + 1` fi LovGate=`cat $log | grep -ci "SIMS FullDownloader.zip.exe"` if [ $? == 0 ]; then echo "LovGate hits = $LovGate." >> $alerts counter=`expr $counter + 1` fi LovGate=`cat $log | grep -ci "MSN Password Hacker and Stealer.exe"` if [ $? == 0 ]; then echo "LovGate hits = $LovGate." >> $alerts counter=`expr $counter + 1` fi Randon=`cat $log | grep -ci "PSEXESVC.EXE"` if [ $? == 0 ]; then echo "Randon hits = $Randon." >> $alerts counter=`expr $counter + 1` fi Deloder=`cat $log | grep -ci "inst.exe"` if [ $? == 0 ]; then echo "Deloder hits = $Deloder." >> $alerts counter=`expr $counter + 1` fi lovgate=`cat $log | grep -ci "netservices.exe"` if [ $? == 0 ]; then echo "lovgate hits = $lovgate." >> $alerts counter=`expr $counter + 1` fi Sory=`cat $log | grep -ci " services.exe"` if [ $? == 0 ]; then echo "Sory hits = $Sory" >> $alerts counter=`expr $counter + 1` fi Palyh=`cat $log | grep -ci "your_details.pi"` if [ $? == 0 ]; then echo "Palyh hits = $Palyh" >> $alerts counter=`expr $counter + 1` fi Palyh=`cat $log | grep -ci "ref-394755.pi"` if [ $? == 0 ]; then echo "Palyh hits = $Palyh" >> $alerts counter=`expr $counter + 1` fi Palyh=`cat $log | grep -ci "approved.pi"` if [ $? == 0 ]; then echo "Palyh hits = $Palyh" >> $alerts counter=`expr $counter + 1` fi Palyh=`cat $log | grep -ci "password.pi"` if [ $? == 0 ]; then echo "Palyh hits = $Palyh" >> $alerts counter=`expr $counter + 1` fi Palyh=`cat $log | grep -ci "doc_details.pi"` if [ $? == 0 ]; then echo "Palyh hits = $Palyh" >> $alerts counter=`expr $counter + 1` fi Palyh=`cat $log | grep -ci "screen_temp.pi"` if [ $? == 0 ]; then echo "Palyh hits = $Palyh" >> $alerts counter=`expr $counter + 1` fi Palyh=`cat $log | grep -ci "screen_doc.pi"` if [ $? == 0 ]; then echo "Palyh hits = $Palyh" >> $alerts counter=`expr $counter + 1` fi Palyh=`cat $log | grep -ci "movie28.pi"` if [ $? == 0 ]; then echo "Palyh hits = $Palyh" >> $alerts counter=`expr $counter + 1` fi Palyh=`cat $log | grep -ci "application.pi"` if [ $? == 0 ]; then echo "Palyh hits = $Palyh" >> $alerts counter=`expr $counter + 1` fi Mumu=`cat $log | grep -ci "10.bat"` if [ $? == 0 ]; then echo "MuMu hits = $MuMu" >> $alerts counter=`expr $counter + 1` fi Mumu=`cat $log | grep -ci "ipcnl.exe"` if [ $? == 0 ]; then echo "MuMu hits = $MuMu" >> $alerts counter=`expr $counter + 1` fi Mumu=`cat $log | grep -ci "hack.bat"` if [ $? == 0 ]; then echo "MuMu hits = $MuMu" >> $alerts counter=`expr $counter + 1` fi Mumu=`cat $log | grep -ci "hfind.exe"` if [ $? == 0 ]; then echo "MuMu hits = $MuMu" >> $alerts counter=`expr $counter + 1` fi Mumu=`cat $log | grep -ci "ipc.bat"` if [ $? == 0 ]; then echo "MuMu hits = $MuMu" >> $alerts counter=`expr $counter + 1` fi Mumu=`cat $log | grep -ci "muma.bat"` if [ $? == 0 ]; then echo "MuMu hits = $MuMu" >> $alerts counter=`expr $counter + 1` fi Mumu=`cat $log | grep -ci "near.bat"` if [ $? == 0 ]; then echo "MuMu hits = $MuMu" >> $alerts counter=`expr $counter + 1` fi Mumu=`cat $log | grep -ci "ntservice.bat"` if [ $? == 0 ]; then echo "MuMu hits = $MuMu" >> $alerts counter=`expr $counter + 1` fi Mumu=`cat $log | grep -ci "ntservice.exe"` if [ $? == 0 ]; then echo "MuMu hits = $MuMu" >> $alerts counter=`expr $counter + 1` fi Mumu=`cat $log | grep -ci "NTService.ini"` if [ $? == 0 ]; then echo "MuMu hits = $MuMu" >> $alerts counter=`expr $counter + 1` fi Mumu=`cat $log | grep -ci "nwiz.exe"` if [ $? == 0 ]; then echo "MuMu hits = $MuMu" >> $alerts counter=`expr $counter + 1` fi Mumu=`cat $log | grep -ci "nwiz.in_"` if [ $? == 0 ]; then echo "MuMu hits = $MuMu" >> $alerts counter=`expr $counter + 1` fi Mumu=`cat $log | grep -ci "nwiz.ini"` if [ $? == 0 ]; then echo "MuMu hits = $MuMu" >> $alerts counter=`expr $counter + 1` fi Mumu=`cat $log | grep -ci "ipcpass.txt"` if [ $? == 0 ]; then echo "MuMu hits = $MuMu" >> $alerts counter=`expr $counter + 1` fi Mumu=`cat $log | grep -ci "tihuan.txt"` if [ $? == 0 ]; then echo "MuMu hits = $MuMu" >> $alerts counter=`expr $counter + 1` fi Mumu=`cat $log | grep -ci "random.bat"` if [ $? == 0 ]; then echo "MuMu hits = $MuMu" >> $alerts counter=`expr $counter + 1` fi Mumu=`cat $log | grep -ci "replace.bat"` if [ $? == 0 ]; then echo "MuMu hits = $MuMu" >> $alerts counter=`expr $counter + 1` fi Mumu=`cat $log | grep -ci "kvfind.exe"` if [ $? == 0 ]; then echo "MuMu hits = $MuMu" >> $alerts counter=`expr $counter + 1` fi Mumu=`cat $log | grep -ci "bboy.exe"` if [ $? == 0 ]; then echo "MuMu hits = $MuMu" >> $alerts counter=`expr $counter + 1` fi Mumu=`cat $log | grep -ci "mumu.exe"` if [ $? == 0 ]; then echo "MuMu hits = $MuMu" >> $alerts counter=`expr $counter + 1` fi Slanper=`cat $log | grep -ci "MSMSGRI.EXE"` if [ $? == 0 ]; then echo "Slanper hits = $Slanper" >> $alerts counter=`expr $counter + 1` fi Slanper=`cat $log | grep -ci "msmsgri.exe"` if [ $? == 0 ]; then echo "Slanper hits = $Slanper" >> $alerts counter=`expr $counter + 1` fi Sluter=`cat $log | grep -ci "msslut32.exe"` if [ $? == 0 ]; then echo "Sluter hits = $Sluter" >> $alerts counter=`expr $counter + 1` fi Possibly_SobigE=`cat $log | grep -ci "couldn't find service e"` if [ $? == 0 ]; then echo "Possibly_SobigE hits = $Possibly_SobigE" >> $alerts counter=`expr $counter + 1` fi if [ $counter -gt 0 ]; then logname="$log" echo "Log name is $log" >> $alerts hostname=`basename "$log" .log` echo "Hostname is: $hostname" >> $alerts IP="" IP=`cat $log | grep -e "$hostname " | cut -d'(' -f2 | cut -d')' -f1 | sort -u` echo "IP is: $IP" >> $alerts user="" user=`cat $log | grep "sesssetupX:name=" | cut -d'[' -f2 | cut -d']' -f1 | tail -n1` ${user:=unknown} echo "User logged in was $user" >> $alerts echo "" >> $alerts fi fi done # mail the alert.log if there's anything in it and # move the samba logs to the backup directory if [ -s $alerts ]; then mail -s "SMB Lure Logs" yourmailbox@company.com < $alerts for oldlogs in $sambalogs do mv -f $oldlogs /usr/local/samba/logs/backup/ done fi # do some "maintenance" rm -f /usr/local/samba/logs/*.log chmod 770 /usr/local/samba/logs/backup/* rm -f $alerts