- 论坛徽章:
- 0
|
目标:现在很多病毒,都是使用windows的漏洞,植入windows,然后向大量的IP连接,正常程序(DNS,代理服务器等)同时连接数不过几十,而病毒一般几百,这是通过cisco路由器的clear ip accounting,show ip accounting得到的。如果有数台机器中病毒,则路由器就假死了!因此根据这一特征,我想做如下自动telnet、解析与监测脚本,每十分钟执行一下,然后如果解析连接数超过一百,则执行我自己的通知程序(snmp agent,短信,邮件,其他监控代理等)通知路由器管理员。我想的具体步骤如下:
1,模拟用户telnet到cisco路由器上,
telnet 192.168.1.1
user:
password:
enable
clear ip accounting
show ip accounting
然后一大堆输出,全是关于近端IP,远端IP和当时连接的包大小。
2,自动把这些重定向到一个文件,如>;1.txt。1.txt如下:
CRT01#clear ip accoun
CRT01#sh ip accoun
Source Destination Packets Bytes
192.168.113.7 192.168.135.243 7 588
192.168.116.53 192.168.2.65 1 48
192.168.116.53 192.168.235.169 1 48
192.168.102.241 192.168.104.251 1 62
192.168.119.21 192.168.105.14 44 6888
192.168.119.55 192.168.117.50 6 1173
192.168.104.30 192.168.105.23 1 40
192.168.119.21 192.168.156.244 7 2383
192.168.115.30 192.168.105.14 169 22427
192.168.235.113 192.168.156.11 1 48
192.168.116.53 192.168.237.161 1 48
192.168.102.251 192.168.104.251 1 73
192.168.235.113 192.168.116.225 1 48
192.168.119.55 192.168.117.36 4 232
192.168.112.12 192.168.117.29 4 544
192.168.117.29 192.168.112.12 4 2184
192.168.117.14 192.168.116.25 2 80
192.168.132.251 192.168.117.29 1 40
192.168.99.21 192.168.117.27 6 396
192.168.98.23 192.168.117.29 1 40
192.168.104.251 192.168.133.8 3 505
192.168.133.8 192.168.104.251 3 530
192.168.113.7 192.168.117.29 4 1888
192.168.117.14 192.168.135.222 1 40
192.169.46.107 192.168.117.29 8 6751
192.168.117.21 192.168.138.199 1 213
192.168.233.135 192.168.116.53 1 56
192.168.113.61 192.168.117.22 20 4071
192.168.116.53 192.168.234.155 1 48
192.168.113.56 192.168.117.14 17 718
192.168.119.53 192.168.105.25 1 60
192.168.99.11 192.168.234.182 2 103
192.168.119.53 192.168.104.28 1 60
192.168.243.160 192.168.117.17 2 80
192.168.104.251 192.168.160.10 1 147
192.168.119.53 192.168.116.9 1 60
Source Destination Packets Bytes
192.168.113.46 192.168.117.21 27 1080
192.168.113.82 192.168.117.22 30 1870
3,cut -b -15 1.txt|sort |uniq -c |sort -nr|cat,意思是把1.txt的每行的前15个字符截取下来(cut -b -15 1.txt),排序(sort ),统计每个ip的连接行数(iq -c),再逆序排序(sort -nr),再输出。这一步执行的输出如下:
24 192.168.116.53
24 192.168.104.25
21 192.168.117.14
16 192.168.235.11
11 192.168.113.13
10 Source
10 192.168.117.21
8 192.168.117.29
8 192.168.103.13
7 192.168.113.7
7 192.168.112.12
6 192.168.102.22
5 192.168.98.77
5 192.168.138.19
5 192.168.111.15
4 192.168.133.72
4 192.168.113.20
4 192.168.112.20
3 192.168.132.3
3 192.168.119.53
3 192.168.115.20
3 192.168.113.53
3 192.168.113.18
3 192.168.113.15
3 192.168.113.10
3 192.168.112.14
3 192.168.111.11
3 192.168.104.24
3 192.168.103.30
3 192.168.102.19
3 192.168.102.10
3 172.24.67.75
3 172.16.4.32
2 Password:
2 Accounting thre
2 192.168.99.11
2 192.168.98.43
2 192.168.156.22
4,然后把3的输出的每一行的第一列与100相比较,如果第一列大于100,则执行一个操作系统命令,同时把该行的第二列作为命令的参数,如"sendmail test@test.com 192.168.116.53",这样就可以通知路由器管理员了。
5,仿用户telnet的脚本如下:
(
sleep 1;\
echo "oracle";\
sleep 1;\
echo "123456";\
sleep 1;\
echo "df -k";\
sleep 1;\
sleep 1;\
echo "exit";\
sleep 1)|telnet 192.168.114.56>;1.txt
6,请高手把我的意图和我所了解的脚本串成一个完整的脚本,借我学习一下。同时,也请大家指出我这种方法的不足之处。 |
|