#!/usr/bin/perl
###########################################################################
# This parses apache access log files for nimda or code red attempts.	  #
# It will return the number of attempts and will show the last one and	  #
# who it came from..	  						  #
###########################################################################
# Author: Tyler L. Longren
# E-mail: tyler@captainjack.com
# URL: http://longren.d2g.com
#
# To get this to work, just modify the $log_file variable to point to your apache access log
use strict;
use Term::ANSIColor;
use Getopt::Std;
getopts("lphnc", \my %options);
sub usage {
        print "Usage: ./worms.pl [-c] [-n] [-p] [-l] [-h]
        -c       :  Scan for code red attempts
        -h       :  Print this help message
        -l       :  Log total attempts and date to .nimda.log or .codered.log
        -n       :  Scan for nimda attempts
        -p       :  Plain text, no color\n\n";
}
my $log_file = "/usr/local/apache/logs/access_log";
my $temp_file = "/tmp/worms.tmp";
sub codered {
	system("clear");
	open (LOGFILE, "$log_file") || die ("Could not open $log_file: $!");
	my @array;
	while (<LOGFILE>) {
	      chomp;
	      push (@array, $_)
	      if m/default.ida/i;
	      print "Reading logs...\r";
	}
	close (LOGFILE);
	open (TEMPFILE, ">>$temp_file") || die ("Could not open $temp_file: $!");
	my $i=0;
	while ($i <= "$#array") {
		print TEMPFILE "$array[$i]\n";
		$i++;
	}
	close (TEMPFILE);
	open (TEMPFILE, $temp_file) || die ("Could not open $temp_file: $!");
	my( $last_host ) = ( $array[$#array] =~ /([\d.]+)\s/ );
	my @attempts;
	while (<TEMPFILE>) {
	      push (@attempts, $_)
	      if /\Q$last_host\E/;
	      print "Counting attempts from $last_host...\r";
	}
	close (TEMPFILE);
	# Begin getting the version of Code Red
	my $signature = "$array[$#array]";
	$signature = substr($signature, 67, 3);
	my $version;
	if ($signature eq "NNN") {
		$version = "Code Red I";
	}
	elsif ($signature eq "XXX") {
		$version = "Code Red II";
	}
	else {
		$version = "Code Red (Unknown)";
	}
	# End getting the version of Code Red
	system("clear");
	print "Scan Type: Code Red";
	print "\nVersion: $version";
	print "\nCode Red attempts: ";
	my $total_attempts = scalar(@array);
	if (defined $options{p}) {
		print "$total_attempts";
	}
	else {
		print color("bold red"), "$total_attempts", color("reset");
	}
	my $host_attempts = scalar(@attempts);
	print "\nLast Host: $last_host";
	print "\nHost attempts: $host_attempts";
	print "\nLogfile: $log_file\nHere's the most recent Code Red attempt:\n---------------------------------------------------\n$array[$#array]\n---------------------------------------------------\n";
	if (defined $options{l}) {
		my $date = `date --date 'today' '+%m.%d.%Y %T'`;
		chomp $date;	
		open (OUTFILE, ">> .codered.log") || die ("Could not open .codered.log: $!");
		print OUTFILE "$total_attempts - $date\n";
		close (OUTFILE);
	}
	`rm $temp_file`;
}
sub nimda {
	system("clear");
	open (LOGFILE, "$log_file") || die ("Could not open $log_file: $!");
	my @array;
	while (<LOGFILE>) {
	      	chomp;
	      	push (@array, $_)
	      	if m/c\+dir/i;
	      	print "Reading logs...\r";
	}
	close (LOGFILE);
	open (TEMPFILE, ">>$temp_file") || die ("Could not open $temp_file: $!");
	my $i=0;
	while ($i <= "$#array") {
		print TEMPFILE "$array[$i]\n";
		$i++;
	}
	close (TEMPFILE);
	open (TEMPFILE, $temp_file) || die ("Could not open $temp_file: $!");
	my( $last_host ) = ( $array[$#array] =~ /([\d.]+)\s/ );
	my @attempts;
	while (<TEMPFILE>) {
		push (@attempts, $_)
 		if /\Q$last_host\E/;
  		print "Counting attempts from $last_host...\r";
	}
	close (TEMPFILE);
	system("clear");
	print "Scan Type: Nimda";
	print "\nNimda attempts: ";
	my $total_attempts = scalar(@array);
	if (defined $options{p}) {
		print "$total_attempts";
	}
	else {
		print color("bold red"), "$total_attempts", color("reset");
	}
	if (defined $options{l}) {
		print " (logged)";
	}
	my $host_attempts = scalar(@attempts);
	print "\nLast Host: $last_host";
	print "\nHost attempts: $host_attempts";
	print "\nLogfile: $log_file";
	print "\nHere's the most recent Nimda attempt:\n---------------------------------------------------\n$array[$#array]\n---------------------------------------------------\n";
	if (defined $options{l}) {
		my $date = `date --date 'today' '+%m.%d.%Y %T'`;
		chomp $date;	
		open (OUTFILE, ">> .nimda.log") || die ("Could not open .nimda.log: $!");
		print OUTFILE "$total_attempts - $date\n";
		close (OUTFILE);
	}
	`rm $temp_file`;
}
if (defined $options{c}) {
	codered;
	exit;
}
elsif (defined $options{n}) {
	nimda;
	exit;
}
else {
	usage;
	exit;
}