Worm Warner
WormWarner is a Perl script that is used to warn hosts that are probably infected by a worm. It decides wether a host is infected by analyzing the data from the Apache log files. It currently recognizes CodeRed, Nimda, the Linux.Slapper.Worm, and the FreeBSD.Scalper.worm. Warning is done by trying to contact the SMTP server on the infected host and sending an email to the postmaster.
| Tags | Monitoring |
|---|---|
| Licenses | GPL |
| Operating Systems | POSIX Linux |
| Implementation | Perl |
Recent releases
- 03 May 2004 14:25
Changes: A test mode and the option to specify the mail server to use were added. This release also limits the size of an email message when the included log files make it to large. The patterns to detect a worm are now stored in a file, which makes it easier to add patterns. Some new patterns were added.
- 17 Jul 2003 11:23
Changes: The scripts now use a GDBM database to keep statistics about the warnings that were sent. This database is also used for rate control to avoid sending too many warnings for the same IP. The ATD-Mass exploiter was added to the recognized attacks. The IP and timezone of the host which runs the script are included in messages to the ISP. Some small bugs were fixed.
- 29 Apr 2003 10:41
Changes: A conflict with newer versions of the Mail::Sender module was fixed. A bug which caused wormwarner not to log for some specific email server problems was fixed.
- 26 Apr 2003 09:44
Changes: Wormwarner now runs as a daemon which lets it respond within minutes after an infection attempt. The abuse.net database is queried before starting whois queries to find the email address of the ISP to warn. Code cleanups were also made.
- 18 Jan 2003 03:02
Changes: This release features improved whois lookup functionality, and can now execute commands (which could be used to modify adaptive firewalls).
