maff
/
scripts
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Begun aslookup rewrite - see aslookup-new. aslookup is being rewritten to make use of Net::IRR as opposed to Net::WHOIS::RIPE, hopefully resulting in better stability.

This commit is contained in:
Matthew Connelly 2014-02-02 08:03:08 +00:00
parent cdfb1a9034
commit 4f92c7a80d
2 changed files with 106 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
abused Executable file
View File

@ -0,0 +1,52 @@
#!/bin/bash
#Binaries
LOGGER_BIN=$(command -v logger)
LOGGER_ARGS="-s -t abused"
VZPS=0
PS_BIN=$(command -v ps)
VZPS_BIN=$(command -v vzps)
if [ $? -eq 0 ]; then VZPS=1; fi
KILL_BIN=$(command -v kill)
PS_ARGS="aux"
VZPS_ARGS="-E"
#Processes to kill
PROCS='dos2.pl stealth kaiten dos.pl exploit msfconsole ddos tfn-child tfn-daemon trinoo lool slap.pl brute pscan2 SpyEyeCollector trinity shaft vadimII vadimii vadim2 vadimI xdestroy xshock udp.pl trash trash2 synsend synk synk7 synhose stream stream2 smurf5 smurf6 smack slice2 slice3 sl2 sl3 rc8 overdrop nestea juno da.sh bloop alpha udp2.pl fiberlamp'
#If possible, we use vzps. We fall back to standard `ps` in cases where vzps is not available (not all our servers have it)
PSOUT=""
if [ $VZPS -eq 1 ]; then
PSOUT=$($VZPS_BIN $PS_ARGS $VZPS_ARGS)
else
PSOUT=$($PS_BIN $PS_ARGS)
fi
#Could probably be done better
OUT=""
IFSB="$IFS"
IFSN="
"
PROCS=$(echo $PROCS|perl -pe 's/ /|/g')
OUT=$(echo "$PSOUT"|egrep "$PROCS")
IFS=$IFSN
for proc in $OUT; do
IFS=$IFSB
CTID="NaN"
PID=""
CMDLINE=""
if [ $VZPS -eq 1 ]; then
CTID=$(echo "$proc"|awk '{print $1}')
PID=$(echo "$proc"|awk '{print $3}')
else
PID=$(echo "$proc"|awk '{print $2}')
fi
CMDLINE=$(echo "$proc"|perl -pe 's/.*:.*:[0-9]+ //')
if [ "$CTID" != "0" ]; then
$LOGGER_BIN $LOGGER_ARGS -- Potentially abusive process \<$CMDLINE\>/$PID in CT $CTID killed! 2>>/var/log/abusers.log
else
$LOGGER_BIN $LOGGER_ARGS -- Found odd process running under CT 0: \<$CMDLINE\>/$PID 2>>/var/log/abusers.log
fi
IFS=$IFSN
done
IFS=$IFSB

54
aslookup-new Executable file
View File

@ -0,0 +1,54 @@
#!/usr/bin/env perl
#aslookup.pl - Looks up information on a given ASN or IP address
use strict;
use warnings;
use Net::IRR;
my $default_as_server = "whois.radb.net";
my $as_server = $default_as_server;
our $db = Net::IRR->connect(host=>$as_server) or die "Error: Cannot connect to whois server $as_server:43";
sub do_as_lookup {
my $asn = shift;
my @results = $db->match("aut-num",$asn) or return "$asn - unknown AS";
@results = split /\n/,$results[0];
my $asname = "";
my $asdesc = "";
foreach(@results) {
$asname = $1 if /as-name:\s+(.+)$/;
$asdesc = $1 if /descr:\s+(.+)$/;
}
return "$asname - $asdesc";
}
sub do_subnet_lookup {
my $sub = shift;
my $result;
$result = $db->route_search($sub,Net::IRR::ONE_LEVEL) or die "Error: Couldn't seem to get a result for $sub.";
my @res = split /\n/, $result;
$result = "";
my $descr = "";
my $route = "";
foreach(@res) {
$route = $1 if /route:\s+(.+)$/;
$result .= $1." " if /origin:\s+(AS[0-9]+)$/;
$descr .= $1." : " if /descr:\s+(.+)$/;
}
$result =~ s/ +$//g;
$descr =~ s/ : $//g;
$sub = $route unless $db->route_search($sub,Net::IRR::EXACT_MATCH);
return "$sub€$result€$descr";
}
my $target = shift || die "Please provide an ASnum or IP/subnet to look up\n";
if($target =~ /^AS/) {
print "$target is ".do_as_lookup $target;print "\n";
exit
}
my ($s,$a,$d) = split /€/, do_subnet_lookup $target;
print "$s, $d";
print " (contains $target)" unless $target eq $s;
print " is announced by $a ".do_as_lookup $a;
print "\n";
$db->disconnect;