#!/usr/bin/perl # #This script is used with Prelude Hybrid IDS http://prelude-ids.org #to automatically send abuse mail to the owner of IP address who attacks #our network.Only attacking with high severity will be reported to email #owner # #Code by Ph03n1X http://kandangjamur.net || king_purb@yahoo.co.uk #View my personal research http://ao.openlsd.net #Usage : perl whois.pl #Cron this script every day /at/ the end of the day example : 23.30 # 30 23 * * * /bin/abuse.pl #cpan DBI use DBI; #cpan Mysql use Mysql; #cpan Net::Whois::IP use Net::Whois::IP qw(whoisip_query); #Config this line #$dbtype=1; #1. MySQL 2. PostgreSQL #Adding PostgreSQL?? i'm so fucking lazy $msgtype=1; #1. Send using mail command 2. Send using curl command $host="localhost"; $databasew="whois"; $databasep="prelude"; $user="root"; $pwd="root31337"; $file="/home/zeus/msg.txt"; #Database connection $dbd=Mysql->connect($host,$databasep,$user,$pwd) or die(); $dbd->selectdb($databasep) or die(); $dbh=Mysql->connect($host,$databasew,$user,$pwd) or die(); $dbh->selectdb($databasew) or die(); #Getting data from prelude database #Inserting to whois database $datequery=$dbd->query("SELECT CURDATE() as tanggal") or die(); @rtgl=$datequery->fetchrow; $tanggal=$rtgl[0]; #Getting attacking with high severity/impact $idquery=$dbd->query("SELECT _message_ident FROM Prelude_Impact WHERE severity='high'") or die(); while(@rid=$idquery->fetchrow) { $msgid=$rid[0]; #Getting attacking with high impact on today $paramquery=$dbd->query("SELECT _message_ident FROM Prelude_DetectTime WHERE _message_ident=$msgid AND time LIKE '%$tanggal%'") or die(); while(@rp=$paramquery->fetchrow) { $param=$rp[0]; #Getting source IP address which attack our server $addrquery=$dbd->query("SELECT address FROM Prelude_Address WHERE _message_ident=$param AND _parent_type='S'") or die(); @ra=$addrquery->fetchrow; $addr=$ra[0]; #Check if the source IP address is already inserted to 'whois' table today. $countquery=$dbh->query("SELECT count(*) AS line FROM whois WHERE ipAddr='$addr' AND date=CURDATE()") or die(); @rc=$countquery->fetchrow; if($rc[0]==0) { #If IP address is not already inserted then inserts teh IP to 'whois' table $dbh->query("INSERT INTO whois (date,ipAddr) VALUES (CURDATE(),'$addr')") or die(); } } } #Getting data from whois database - whois table #Abuse an email to owner IP address $subject="Abuse from UGM - attack detection from your IP address\n"; open(FD,$file); $message=; $query=$dbh->query("SELECT ipAddr FROM whois WHERE date=CURDATE()") or die(); while(@r=$query->fetchrow) { #print "Getting email owner\n"; my $ipAddr=$r[0]; my $response=whoisip_query($ipAddr); foreach(sort keys(%{$response})) { #result whois #$resa .="$_ : $response->{$_}\n"; $res = "$_ : $response->{$_}"; if($res =~ m/e-mail : (\S+)/) { #print email address $mail=$1; print "$mail\n"; } if($res =~ m/OrgTechEmail : (\S+)/) { #print email address $mail=$1; print "$mail\n"; } } #print "$resa\n"; if($msgtype==1) #send directly using mail from prelude-manager { $cmdexec="cat $message|mail -s $subject $mail"; system($cmdexec); } #prelude-manager in local network can't send email because firewall restriction #Send using curl to other host which allowed to use 'mail' else{ #$cmdexec="curl -d \"mail=$mail&subject=$subject&msg=$message\" http://outsidehost.net/mail.php"; #system($cmdexec); } } $dbd->DESTROY(); $dbh->DESTROY(); #PHP code /at/ http://outsidehost.net/mail.php looks like below #------------------------------------------------------------------- # # # #SQL dump for database 'whois' and table 'whois' #------------------------------------------------------------------- #create database whois; #use whois; #CREATE TABLE IF NOT EXISTS `whois` ( # `id` int(11) NOT NULL auto_increment, # `date` date NOT NULL, # `ipAddr` varchar(32) NOT NULL, # PRIMARY KEY (`id`) #) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=8 ; #