#!/usr/bin/perl
# by PJ
# Purpose: To find the Code Red worm infected hosts in your http log file
#	and send report to SecurityFocus.com for them to notify.
#
#	Download and rename this file to CRW.pl
#	change permissions to 755 [chmod 755 CRW.pl]
#
#	You can set this as a cron to run daily if you wish.
#	57 23 * * * /usr/scripts_location/CRW.pl
#	   will run 3 minutes before the end of the day to read that current days logs.
#
#  Version 1.0b	: 8-06-01
#

#--values: Edit as needed--#

  $email = "aris-report\@securityfocus.com";	#-securityfocus email.
  $you = "you\@domain.com";			#-your email address
  $log = "/usr/local/apache/logs/access_log";	#-your mail log file.
  $grep = "/usr/bin/grep";			#-grep binary location.	
  $sendmail = "/usr/sbin/sendmail";		#-sendmail binary location.


#--[ No Need to Edit Below ]--#
#--date--#
  $timetemp = localtime;
  @timelist = split(/\s+/, $timetemp);
   $Month = $timelist[1];
  ($day,$year) = (localtime) [3,5];
   $year += 1900;

  #-check for day if not use today.
  if($ARGV[0]) {
    $today = "$ARGV[0]/$Month/$year";
  } else {
    $today = "$day/$Month/$year";
  }


#--help--#
 if ($ARGV[0] =~ /(-h)/i) {
   print "Usage:  $0 [day of month]\n";
   print "	$0 5\n";
   print "	Or no day, default is todays date.\n\n";
   exit; 
 }


#--search log file and parse out needed data--#
 $body = "Here are IP addresses that are trying to infect me with the Code Red Worm.\n";
 $body .= "\tDelimiter is a double pipe \|\|\n\n";
 @findings = `$grep \"\/default.ida\?\" $log \|$grep $today`;
 foreach $line (@findings) {
   chomp($line);
   (@crw)=split(/\s+/,$line);
   $crw[3] =~ s/\[//g;
   $body .= "$crw[0]||$crw[3]\n";
 }


#--email data out--#
open(MAIL,"| $sendmail -t");
  print MAIL "To: $email\n";
  print MAIL "From: $you\n";
  print MAIL "Subject: Code Red Worm IPs\n\n";
  print MAIL "$body\n";
close(MAIL);