#!/bin/sh # checklogs.sh - a shell script for parsing the Samba logs # looking for worm or virus activity. If found, it's written # to a log that is emailed to me hourly. # Written by Paul Schmehl - 6/10/2002 # set some variables sambalogs=/usr/local/samba/logs/* alerts=/home/alert.txt touch $alerts # loop through each log looking for worms and viruses # and write to the alert.log if any are found for log in $sambalogs do if [ -f ]; then chmod 770 "$log" counter=0 funlove=`cat "$log" | grep -ci "find service ntldr"` if [ $? == 0 ]; then echo "Funlove hits = $funlove." >> $alerts counter=`expr $counter + 1` fi nimda=`cat "$log" | grep -ci "\.eml read=No write=Yes"` if [ $? == 0 ]; then echo "Nimda hits = $nimda." >> $alerts counter=`expr $counter + 1` fi nimdaa=`cat "$log" | grep -ci "\.eml failed"` if [ $? == 0 ]; then echo "Nimda a hits = $nimdaa." >> $alerts counter=`expr $counter + 1` fi qaz=`cat "$log" | grep -ci NOTE.COM` if [ $? == 0 ]; then echo "Qaz hits = $qaz." >> $alerts counter=`expr $counter + 1` fi sircam=`cat "$log" | grep -ci "RECYCLED/SIRC32.EXE"` if [ $? == 0 ]; then echo "Sircam hits = $sircam." >> $alerts counter=`expr $counter + 1` fi klez=`cat "$log" | grep -ci "size 4 would overrun buffer"` if [ $? == 0 ]; then echo "Klez hits = $klez." >> $alerts counter=`expr $counter + 1` fi kleza=`cat "$log" | grep -ci "\.rar read=Yes write=Yes"` if [ $? == 0 ]; then echo "Klez a hits = $kleza." >> $alerts counter=`expr $counter + 1` fi bugbear=`cat "$log" | grep -ci "couldn't find service [$]c"` if [ $? == 0 ]; then echo "Bugbear hits = $bugbear." >> $alerts counter=`expr $counter + 1` fi sobig=`cat "$log" | grep -ci "couldn't find service .[$]"` if [ $? == 0 ]; then echo "Sobig hits = $sobig." >> $alerts counter=`expr $counter + 1` fi sobig=`cat "$log" | egrep -ci "Movie_0074.mpeg.pif|Document003.pif|Untitled1.pif|Sample.pif"` if [ $? == 0 ]; then echo "Sobig hits = $sobig." >> $alerts counter=`expr $counter + 1` fi opaserv=`cat "$log" | grep -ci "scrsvr.exe read=Yes write=Yes"` if [ $? == 0 ]; then echo "Opaserv hits = $opaserv." >> $alerts counter=`expr $counter + 1` fi opaserv=`cat "$log" | grep -ci "brasil.exe read=Yes write=Yes"` if [ $? == 0 ]; then echo "Opaserv hits = $opaserv." >> $alerts counter=`expr $counter + 1` fi opaserv=`cat "$log" | grep -ci "basil.pif read=Yes write=Yes"` if [ $? == 0 ]; then echo "Opaserv hits = $opaserv." >> $alerts counter=`expr $counter + 1` fi opaserv=`cat "$log" | grep -ci "alevir.exe read=Yes write=Yes"` if [ $? == 0 ]; then echo "Opaserv hits = $opaserv." >> $alerts counter=`expr $counter + 1` fi opaserv=`cat "$log" | grep -ci "marco\!.scr read=Yes write=Yes"` if [ $? == 0 ]; then echo "Opaserv hits = $opaserv." >> $alerts counter=`expr $counter + 1` fi opaserv=`cat "$log" | grep -ci "puta\!\!.exe read=Yes write=Yes"` if [ $? == 0 ]; then echo "Opaserv hits = $opaserv." >> $alerts counter=`expr $counter + 1` fi opaserv=`cat "$log" | grep -ci "SRV32.EXE read=Yes write=Yes"` if [ $? == 0 ]; then echo "Opaserv hits = $opaserv." >> $alerts counter=`expr $counter + 1` fi opaserv=`cat "$log" | grep -ci "mstask.exe read=Yes write=Yes"` if [ $? == 0 ]; then echo "Opaserv hits = $opaserv." >> $alerts counter=`expr $counter + 1` fi opaserv=`cat "$log" | grep -ci "mqbkup.exe read=Yes write=Yes"` if [ $? == 0 ]; then echo "Opaserv hits = $opaserv." >> $alerts counter=`expr $counter + 1` fi lovgate=`cat "$log" | egrep -ci "SETUP.EXE|midsong.exe|PsPGame.exe|Hamster.exe|images.exe"` if [ $? == 0 ]; then echo "Lovegate hits = $lovgate." >> $alerts counter=`expr $counter + 1` fi lovgate=`cat "$log" | egrep -ci "tamagotxi.exe|news_doc.exe|docs.exe|humor.exe|billgt.exe"` if [ $? == 0 ]; then echo "Lovegate hits = $lovgate." >> $alerts counter=`expr $counter + 1` fi lovgate=`cat "$log" | egrep -ci "fun.exe|searchURL.exe|s3msong.exe|Card.exe|joke.exe"` if [ $? == 0 ]; then echo "Lovegate hits = $lovgate." >> $alerts counter=`expr $counter + 1` fi elkern=`cat "$log" | grep -ci "\.exe read=Yes write=Yes"` if [ $? == 0 ]; then echo "Elkern hits = $elkern." >> $alerts counter=`expr $counter + 1` fi changemod=`cat "$log" | grep -ci "(Operation not permitted)"` if [ $? == 0 ]; then echo "CHMOD hits = $changemod." >> $alerts counter=`expr $counter + 1` fi if [ $counter -gt 0 ]; then logname="$log" echo "Log name is: $log" >> $alerts echo Log started at `cat "$log" | awk '/\[20/{print $1" "$2}' | head -n1 | cut -d'[' -f2 | cut -d',' -f1` >> $alerts hostname=`basename "$log" .log` echo "Hostname is: $hostname" >> $alerts IP="" IP=`cat "$log" | grep -e "$hostname " | cut -d'(' -f2 | cut -d')' -f1 | sort -u` ${IP:=unknown} echo IP is: $IP >> $alerts user="" user=`cat "$log" | grep "sesssetupX:name=" | cut -d'[' -f2 | cut -d']' -f1 | tail -n1` ${user:=unknown} echo User logged in was $user >> $alerts echo "" >> $alerts fi fi done # mail the alert.log if there's anything in it and # move the samba logs to the backup directory if [ -s $alerts ]; then mailx -s "SMB Lure Logs" root < $alerts cd /usr/local/samba/logs mv -f *.log backup/ fi # do some "maintenance" chmod 660 /usr/local/samba/logs/backup/* rm -f $alerts