Begun aslookup rewrite - see aslookup-new. aslookup is being rewritten to make use of Net::IRR as opposed to Net::WHOIS::RIPE, hopefully resulting in better stability.
This commit is contained in:
Matthew Connelly
parent
cdfb1a9034
commit
4f92c7a80d
|
|
@ -0,0 +1,52 @@
|
|||
#!/bin/bash
|
||||
|
||||
#Binaries
|
||||
LOGGER_BIN=$(command -v logger)
|
||||
LOGGER_ARGS="-s -t abused"
|
||||
VZPS=0
|
||||
PS_BIN=$(command -v ps)
|
||||
VZPS_BIN=$(command -v vzps)
|
||||
if [ $? -eq 0 ]; then VZPS=1; fi
|
||||
KILL_BIN=$(command -v kill)
|
||||
PS_ARGS="aux"
|
||||
VZPS_ARGS="-E"
|
||||
|
||||
#Processes to kill
|
||||
PROCS='dos2.pl stealth kaiten dos.pl exploit msfconsole ddos tfn-child tfn-daemon trinoo lool slap.pl brute pscan2 SpyEyeCollector trinity shaft vadimII vadimii vadim2 vadimI xdestroy xshock udp.pl trash trash2 synsend synk synk7 synhose stream stream2 smurf5 smurf6 smack slice2 slice3 sl2 sl3 rc8 overdrop nestea juno da.sh bloop alpha udp2.pl fiberlamp'
|
||||
|
||||
#If possible, we use vzps. We fall back to standard `ps` in cases where vzps is not available (not all our servers have it)
|
||||
PSOUT=""
|
||||
if [ $VZPS -eq 1 ]; then
|
||||
PSOUT=$($VZPS_BIN $PS_ARGS $VZPS_ARGS)
|
||||
else
|
||||
PSOUT=$($PS_BIN $PS_ARGS)
|
||||
fi
|
||||
|
||||
#Could probably be done better
|
||||
OUT=""
|
||||
IFSB="$IFS"
|
||||
IFSN="
|
||||
"
|
||||
PROCS=$(echo $PROCS|perl -pe 's/ /|/g')
|
||||
OUT=$(echo "$PSOUT"|egrep "$PROCS")
|
||||
IFS=$IFSN
|
||||
for proc in $OUT; do
|
||||
IFS=$IFSB
|
||||
CTID="NaN"
|
||||
PID=""
|
||||
CMDLINE=""
|
||||
if [ $VZPS -eq 1 ]; then
|
||||
CTID=$(echo "$proc"|awk '{print $1}')
|
||||
PID=$(echo "$proc"|awk '{print $3}')
|
||||
else
|
||||
PID=$(echo "$proc"|awk '{print $2}')
|
||||
fi
|
||||
CMDLINE=$(echo "$proc"|perl -pe 's/.*:.*:[0-9]+ //')
|
||||
if [ "$CTID" != "0" ]; then
|
||||
$LOGGER_BIN $LOGGER_ARGS -- Potentially abusive process \<$CMDLINE\>/$PID in CT $CTID killed! 2>>/var/log/abusers.log
|
||||
else
|
||||
$LOGGER_BIN $LOGGER_ARGS -- Found odd process running under CT 0: \<$CMDLINE\>/$PID 2>>/var/log/abusers.log
|
||||
fi
|
||||
IFS=$IFSN
|
||||
done
|
||||
IFS=$IFSB
|
||||
|
|
@ -0,0 +1,54 @@
|
|||
#!/usr/bin/env perl
|
||||
#aslookup.pl - Looks up information on a given ASN or IP address
|
||||
use strict;
|
||||
use warnings;
|
||||
|
||||
use Net::IRR;
|
||||
|
||||
my $default_as_server = "whois.radb.net";
|
||||
my $as_server = $default_as_server;
|
||||
our $db = Net::IRR->connect(host=>$as_server) or die "Error: Cannot connect to whois server $as_server:43";
|
||||
|
||||
sub do_as_lookup {
|
||||
my $asn = shift;
|
||||
my @results = $db->match("aut-num",$asn) or return "$asn - unknown AS";
|
||||
@results = split /\n/,$results[0];
|
||||
my $asname = "";
|
||||
my $asdesc = "";
|
||||
foreach(@results) {
|
||||
$asname = $1 if /as-name:\s+(.+)$/;
|
||||
$asdesc = $1 if /descr:\s+(.+)$/;
|
||||
}
|
||||
return "$asname - $asdesc";
|
||||
}
|
||||
sub do_subnet_lookup {
|
||||
my $sub = shift;
|
||||
my $result;
|
||||
$result = $db->route_search($sub,Net::IRR::ONE_LEVEL) or die "Error: Couldn't seem to get a result for $sub.";
|
||||
my @res = split /\n/, $result;
|
||||
$result = "";
|
||||
my $descr = "";
|
||||
my $route = "";
|
||||
foreach(@res) {
|
||||
$route = $1 if /route:\s+(.+)$/;
|
||||
$result .= $1." " if /origin:\s+(AS[0-9]+)$/;
|
||||
$descr .= $1." : " if /descr:\s+(.+)$/;
|
||||
}
|
||||
$result =~ s/ +$//g;
|
||||
$descr =~ s/ : $//g;
|
||||
$sub = $route unless $db->route_search($sub,Net::IRR::EXACT_MATCH);
|
||||
return "$sub€$result€$descr";
|
||||
}
|
||||
|
||||
my $target = shift || die "Please provide an ASnum or IP/subnet to look up\n";
|
||||
|
||||
if($target =~ /^AS/) {
|
||||
print "$target is ".do_as_lookup $target;print "\n";
|
||||
exit
|
||||
}
|
||||
my ($s,$a,$d) = split /€/, do_subnet_lookup $target;
|
||||
print "$s, $d";
|
||||
print " (contains $target)" unless $target eq $s;
|
||||
print " is announced by $a ".do_as_lookup $a;
|
||||
print "\n";
|
||||
$db->disconnect;
|
||||
Loading…
Reference in New Issue