PHP:NepLog

From Devicenull's Code

Jump to: navigation, search

This took the output of Nepenthes (a honeypot) and generated statistics about infected machines 

<?php
	error_reporting(E_ALL^E_NOTICE);
	$file = '/var/log/nepenthes/logged_submissions';
 
	//[2006-10-09T12:33:26] ftp://a:a@128.235.138.16:4120/WindowsSys32e.exe
	$pattern = "\[(.*)T(.*)\] (.*) (.*)";
 
	$hosts = array();
	$files = array();
 
	$f = fopen($file,"r");
	while (!feof($f))
	{
		$line = rtrim(fgets($f));
		if (eregi($pattern,$line,$out))
		{
			$numtime = strtotime($out[1].' '.$out[2]);
			$urlinfo = parse_url($out[3]);
 
/*			echo 'Date: '.$out[1].'<br>';
			echo 'Time: '.$out[2].'<br>';
			echo 'DateTime: '.strftime('%b %d %Y %H:%M:%S',$numtime).'<br>';
			echo 'Host: '.$urlinfo['host'].'<br>';
			echo 'File: '.$urlinfo['path'].'<br>';
			echo '<br>---------------------------------------<br>';*/
 
			$cfile = substr($urlinfo['path'],1);
			$files[$cfile]['count']++;
			$files[$cfile]['file'] = $cfile;
			$files[$cfile]['md5sum'] = $out[4];
 
 
			$hosts[$urlinfo['host']]['count']++;
			$hosts[$urlinfo['host']]['host'] = $urlinfo['host'];
			$hosts[$urlinfo['host']]['file'] = substr($urlinfo['path'],1);
 
 
			if ($hosts[$urlinfo['host']]['firstseen'] == 0) $hosts[$urlinfo['host']]['firstseen'] = 999999999999999;
			if ($numtime < $hosts[$urlinfo['host']]['firstseen']) $hosts[$urlinfo['host']]['firstseen'] = $numtime;
			if ($numtime > $hosts[$urlinfo['host']]['lastseen']) $hosts[$urlinfo['host']]['lastseen'] = $numtime;
 
 
		}
	}
	function host_sort($var1,$var2)
	{
		if ($var1['lastseen'] > $var2['lastseen']) return -1;
		else if ($var1['lastseen'] < $var2['lastseen']) return 1;
		return 0;
	}
	usort($hosts,"host_sort");
 
	echo '<h2>Infected systems, ordered by last time seen</h2>';
	echo '<table cellpadding=5 border=1>';
	echo '<tr>';
	echo '<td><b>Count</b></td>';
	echo '<td><b>IP Address</b></td>';
	echo '<td><b>Host name</b></td>';
	echo '<td><b>First seen</b></td>';
	echo '<td><b>Last seen</b></td>';
	echo '<td><b>Last file sent</b></td>';
	echo '</tr>';
	foreach ($hosts as $cur)
	{
		echo '<tr>';
		echo '<td>'.$cur['count'].'</td>';
		echo '<td>'.$cur['host'].'</td>';
		echo '<td>'.gethostbyaddr($cur['host']).'</td>';
		echo '<td>'.strftime('%b %d %Y %H:%M:%S',$cur['firstseen']).'</td>';
		echo '<td>'.strftime('%b %d %Y %H:%M:%S',$cur['lastseen']).'</td>';
		echo '<td>'.$cur['file'].'</td>';
		echo '</tr>';
	}
	echo '</table>';
 
	echo '<br><br>';
 
	function file_sort($var1,$var2)
	{
		if ($var1['count'] > $var2['count']) return -1;
		else if ($var1['count'] < $var2['count']) return 1;
		return 0;
	}
	usort($files,"file_sort");
 
	echo '<h2>Sent files, ordered by count</h2>';
	echo '<table cellpadding=5 border=1>';
	echo '<tr>';
	echo '<td><b>Count</b></td>';
	echo '<td><b>File</b></td>';
	echo '<td><b>Md5Sum</b></td>';
	echo '</tr>';
	foreach ($files as $data)
	{
		echo '<tr>';
		echo '<td>'.$data['count'].'</td>';
		echo '<td>'.$data['file'].'</td>';
		echo '<td>'.$data['md5sum'].'</td>';
		echo '</tr>';
	}
	echo '</table>';
 
 
	fclose($f);
	echo '<br><br><br><hr>';
	echo '<b>Generated:</b> '.strftime('%b %d %Y %H:%M:%S').'<br><b>Script by:</b> Brian Rak';
?>
Retrieved from "http://code.devicenull.org/index.php?title=PHP:NepLog"