#!/bin/csh -f # # joel 2002 # # must use "-v-10H" switch to # convert to HST (system time from "date" shows "GMT") # # ----- corrected on 12 July 2002 ---- # system is now HST for all functions # ## HST date: ## set dow = `date | awk '{print$1}'` set mon = `date | awk '{print$2}'` set da = `date | awk '{print$3}'` set dalength = `date | awk '{print length ($3)}'` if ($dalength != 2) set da = " $da" set day = `date +%D | awk -F/ '{print$2}'` set yr = `date | awk '{print$6}'` ## ## note: $da has a leading space (ie " 2") ## $day contains leading zero (ie "02") ## vsmtprelay (relay.db) uses UT DATE! ## set umon = `date -u | awk '{print$2}'` set uda = `date -u | awk '{print$3}'` set udalength = `date -u | awk '{print length ($3)}'` if ($udalength != 2) set uda = " $uda" set uday = `date -u +%D | awk -F/ '{print$2}'` set uyr = `date -u | awk '{print$6}'` ## ## note: $uda has a leading space (ie " 2") ## $uday contains leading zero (ie "02") ## Use DATE ARGUMENT instead, if supplied: if ($1 != "") then set mon = $1 set day = $2 set dow = " " endif set today = $dow", "$mon" "$day", "$yr set output = ~/scratch/check_spams.txt echo " " echo " HST $today" echo " " ## get NUMBER of spams & relays &c: set numspams = `grep -i check_mail ~/usr/log/messages |grep -c "$mon $day"` echo " $numspams SPAMS filtered out" set numrelays = `grep -i check_rcpt ~/usr/log/messages| grep -c "$mon $day"` echo " $numrelays RELAYS attempted" set numnull = `grep /dev/null ~/usr/log/messages| grep -c "$mon $day"` echo " $numnull messages sent to /dev/null" set numnoque = `grep NOQUEUE ~/usr/log/messages| grep -c "$mon $day"` echo " $numnoque NOQUEUE errors" set numftps = `grep ftpxfer ~/usr/log/messages| grep -c "$day/$mon"` echo " $numftps FTP xfers" set numunk = `grep "User unknown" ~/usr/log/messages| grep -c "$mon $day"` echo " $numunk msgs sent to unknown addresses" set numworms = `grep "$day/$mon" ~/usr/local/etc/httpd/logs/access_log | grep -c -e ".exe?" -e "default.ida?"` echo " $numworms => WORMS <=" set numlong = `grep "$day/$mon" ~/usr/local/etc/httpd/logs/access_log|awk 'length>255'|grep -c "."` echo " $numlong WWW Access commands >255 chars" ## Report SPAMS filtered out: echo " " echo " SPAMS filtered out from:" echo " ~~~~~~~~~~~~~~~~~~~~~~~~~~" grep -i check_mail ~/usr/log/messages | grep "$mon $day" | awk '{print$7}' \ | awk -F"<" '{print$2}' | awk -F">" '{print$1}' ## Report RELAY attempts from: echo " " echo " RELAYS stopped:" echo " ~~~~~~~~~~~~~~~~~" #### (arg1 only:) ####grep -i check_rcpt ~/usr/log/messages|grep "$mon $day"|awk '{print$7}' \ #### |awk -F"<" '{print$2}'|awk -F">" '{print$1}' ## (print full details, arg1, relay, IP) ## grep -i check_rcpt ~/usr/log/messages|grep "$mon $day"|awk '{print$7,$8,$9}' echo " " echo " RELAYS attempted by:" echo " ~~~~~~~~~~~~~~~~~~~~~~" grep -A1 relay-OK ~/usr/log/messages|grep "$mon $day"|grep from=|awk -F"<" '{print$3}'|awk -F">" '{print$1}' #echo " " #echo " ==> Unknown Relays that SUCCEEDED:" #echo " ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" #/usr/local/bin/vsmtprelay dump | grep -A1 "$mon $day" | grep -v 64.75 | grep -v 128.171 | grep -v # #/usr/local/bin/vsmtprelay dump | grep -A1 "$umon $uda" | grep -v 64.75 | grep -v # #/usr/local/bin/vsmtprelay echo " " echo " messages to /dev/null addressed to:" echo " ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" grep /dev/null ~/usr/log/messages |grep "$mon $day" | awk '{print$7}' |awk -F= '{print$2}' echo " " echo " messages to /dev/null were sent from:" echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" grep -B1 /dev/null ~/usr/log/messages | grep "$mon $day" | grep "from=" \ | awk '{print$6}' | awk -F"<" '{print$2}' | awk -F">" '{print$1}' echo " " echo " messages addressed to unknown users:" echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" grep "User unknown" ~/usr/log/messages |grep "$mon $day" | awk '{print$6}' echo " " echo " messages to unknown users were sent from:" echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" grep -A1 "User unknown" ~/usr/log/messages | grep "$mon $day" | grep "from=" \ | awk '{print$6}' | awk -F"<" '{print$2}' | awk -F">" '{print$1}' echo " " echo " messages to unknown users were sent thru relay:" echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" grep -A1 "User unknown" ~/usr/log/messages | grep "$mon $day" | grep "from=" \ | awk '{print$11}' | awk -F"[" '{print$2}' | awk -F"]" '{print$1}' echo " " echo " NOQUEUEs from:" echo "~~~~~~~~~~~~~~~~~~" grep NOQUE ~/usr/log/messages |grep "$mon $day" | awk '{print $6 $7}' echo " " echo " FTP xfers:" echo "~~~~~~~~~~~~~~~~~~" grep ftpxfer ~/usr/log/messages |grep "$day/$mon" | awk -F: '{print$6}' echo " " echo " EXPN & VRFY probes:" echo "~~~~~~~~~~~~~~~~~~~~~~~" grep -e EXPN -e VRFY ~/usr/log/messages|grep -v issue|grep "$mon $day"|awk -F: '{print$5$6}' echo " " echo " Check that passwd file has not changed:" echo " ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" ls -al ~/etc/passwd |grep -v "795 Nov 28" #echo " " #echo " Check for known hackers:" #echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~" #grep 213.165.223.112 ~/usr/log/messages | grep -e "$mon $day" -e "$day/$mon" #grep -e "$mon $day" -e "$day/$mon" ~/usr/log/messages | grep 213.165.223.112 #grep 213.165.223.112 ~/usr/log/messages echo " " echo " Check mail queue:" echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~" ls -al ~/var/spool/mqueue |grep -v total|grep -v drwx #echo " " #echo " Mail queue: head -33 d*" #echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~" #head -33 ~/var/spool/mqueue d* echo " " echo " Check successful relayers IP (exclude 128.171 & 64.75.1xx) :" echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" ## (also exclude known prob? Apr'02 from 192.41.42.109)## /usr/local/bin/vsmtprelay list | grep -v 64.75.1 | grep -v 128.171. \ |grep -v 192.41.42.109 | grep -v timestamp | grep . echo " " echo " ====> WORMS <====" echo "~~~~~~~~~~~~~~~~~~~~~" grep "$day/$mon" ~/usr/local/etc/httpd/logs/access_log \ | grep -e ".exe?" -e "default.ida?" | awk -F"?" '{print$1}' \ | awk '{print$6,$7," ",$1}' echo " " echo " Oversize emails rejected:" echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~~" grep "$mon $day" ~/usr/log/messages| grep -B1 exceeds | grep "size=" |awk '{print$6,$7}' echo " " echo " Shell Logins, past 24hrs:" echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" /usr/bin/last | grep "$mon $da" echo " " echo " Files changed in past 24hrs:" echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" find ~ -mtime 1 -ls | grep -v stats | grep -v nws | grep -v logs | grep -v spammers \ | grep -v spams_yest | grep -v scratch | grep -v pine | grep -v /tmp | grep -v mque \ | grep -v /var/mail | grep -v messages | grep -v null | grep -v relayers.db \ |grep -v sendmail.st| grep -v proftpd echo " "