perl script to detect latest email worm
Peter Van Epp
vanepp at sfu.ca
Wed Jan 28 00:37:27 EST 2004
The thought belatedly stuck that I have a perl script (in ugly form)
which may be useful to others. It eats an argus-2.0.6 file and uses ra to spit
out a reverse traffic order listing of machines sending mail. If you supress
your network and your mail servers (which blocks incoming mail which isn't
interesting in this case) this catches infected PCs madly attempting to infect
other machines via the worm's internal SMTP engine. Output looks like this:
Start time Tue Jan 27 19:59:42 2004 to Tue Jan 27 20:59:42 2004
Total traffic: 73,101,132 total src: 68,688,615 total dst: 4,412,517
(infected machine, followed by two normal machines)
142.58.xxx.xxx total traffic: 7,699,212
142.58.xxx.xxx 203.49.108.30 25 486,436 38,942
142.58.xxx.xxx 216.113.192.13 25 489,406 0
142.58.xxx.xxx 212.5.216.21 25 349,531 36,146
142.58.xxx.xxx 195.12.141.26 25 314,413 31,777
142.58.xxx.xxx 212.26.172.10 25 314,733 27,430
142.58.xxx.xxx 204.225.90.28 25 320,492 19,712
142.58.xxx.xxx 12.39.209.19 25 309,004 23,130
142.58.xxx.xxx 62.168.63.185 25 279,108 15,463
142.58.xxx.xxx 155.72.128.140 25 243,853 25,378
142.58.xxx.xxx 193.70.192.92 25 244,576 24,222
142.58.xxx.xxx 132.156.36.48 25 211,806 12,062
142.58.xxx.xxx 199.185.220.250 25 210,391 11,960
142.58.xxx.xxx 216.129.90.46 25 211,492 0
142.58.xxx.xxx 205.150.42.70 25 209,774 0
142.58.xxx.xxx 217.67.20.137 25 176,315 16,648
142.58.xxx.xxx 216.200.145.38 25 176,144 14,651
142.58.xxx.xxx 216.208.154.16 25 142,035 9,721
142.58.xxx.xxx 64.29.144.73 25 139,142 11,445
142.58.xxx.xxx 193.85.2.10 25 138,735 9,843
142.58.xxx.xxx 204.50.129.130 25 139,054 8,065
142.58.xxx.xxx 204.244.10.35 25 141,688 0
142.58.xxx.xxx 206.47.172.220 25 108,680 10,645
142.58.xxx.xxx 209.58.232.25 25 110,500 6,943
142.58.xxx.xxx 216.251.32.217 25 104,650 7,906
142.58.xxx.xxx 195.186.4.200 25 104,929 5,686
142.58.xxx.xxx 195.28.64.119 25 104,429 3,894
142.58.xxx.xxx 61.8.96.1 25 78,170 5,531
142.58.xxx.xxx 209.202.220.99 25 72,309 6,527
142.58.xxx.xxx 209.228.4.169 25 73,274 5,162
142.58.xxx.xxx 205.200.10.68 25 71,857 6,145
142.58.xxx.xxx 142.232.99.100 25 74,675 0
142.58.xxx.xxx 165.252.95.229 25 68,643 4,798
142.58.xxx.xxx 216.123.224.166 25 69,835 3,103
142.58.xxx.xxx 209.228.197.138 25 69,263 3,154
142.58.xxx.xxx 207.228.250.157 25 39,175 12,748
142.58.xxx.xxx 64.157.4.78 25 41,945 9,308
142.58.xxx.xxx 64.156.215.6 25 38,157 6,473
142.58.xxx.xxx 192.44.100.42 25 35,678 3,768
142.58.xxx.xxx 192.44.184.23 25 35,505 3,648
142.58.xxx.xxx 216.251.32.110 25 35,217 3,753
142.58.xxx.xxx 216.148.222.35 25 36,045 2,497
142.58.xxx.xxx 193.70.192.50 25 35,274 3,072
142.58.xxx.xxx 209.202.220.66 25 34,940 3,137
142.58.xxx.xxx 62.55.224.115 25 35,163 2,911
142.58.xxx.xxx 213.81.152.19 25 34,576 2,917
142.58.xxx.xxx 216.123.224.168 25 35,663 1,660
142.58.xxx.xxx 216.239.112.33 25 35,117 2,132
142.58.xxx.xxx 24.71.223.11 25 34,954 1,936
142.58.xxx.xxx 132.156.36.1 25 34,603 2,057
142.58.xxx.xxx 195.186.1.200 25 34,757 1,885
142.58.xxx.xxx 61.8.126.17 25 34,256 2,137
142.58.xxx.xxx 199.185.220.249 25 8,133 13,832
142.58.xxx.xxx 165.252.95.227 25 6,954 14,073
142.58.xxx.xxx 66.218.86.253 25 8,635 10,971
142.58.xxx.xxx 64.59.128.220 25 5,568 11,581
142.58.xxx.xxx 199.175.121.9 25 6,570 9,018
142.58.xxx.xxx 67.28.114.32 25 5,538 7,455
142.58.xxx.xxx 64.40.102.41 25 6,510 5,670
142.58.xxx.xxx 207.194.209.159 25 4,287 5,831
142.58.xxx.xxx 64.156.215.7 25 3,703 4,969
142.58.xxx.xxx 12.158.35.251 25 3,480 4,806
142.58.xxx.xxx 216.251.43.9 25 2,736 4,926
142.58.xxx.xxx 63.65.28.214 25 2,318 4,701
142.58.xxx.xxx 66.51.160.60 25 6,488 0
142.58.xxx.xxx 64.114.3.9 25 2,298 3,489
142.58.xxx.xxx 66.218.71.164 25 5,766 0
142.58.xxx.xxx 66.218.71.198 25 5,580 0
142.58.xxx.xxx 208.181.47.1 25 2,408 3,127
142.58.xxx.xxx 216.251.43.10 25 1,368 2,571
142.58.xxx.xxx 65.39.136.80 25 3,348 0
142.58.xxx.xxx 66.218.86.254 25 1,376 1,858
142.58.xxx.xxx 64.26.62.254 25 1,674 1,458
142.58.xxx.xxx 132.156.36.49 25 1,344 1,699
142.58.xxx.xxx 12.158.34.245 25 2,230 680
142.58.xxx.xxx 209.17.181.185 25 1,488 1,296
142.58.xxx.xxx 216.251.32.97 25 912 1,802
142.58.xxx.xxx 128.121.212.183 25 1,022 1,588
142.58.xxx.xxx 64.156.215.5 25 906 1,233
142.58.xxx.xxx 213.165.64.100 25 918 1,182
142.58.xxx.xxx 161.184.245.20 25 1,116 972
142.58.xxx.xxx 64.114.3.4 25 1,116 972
142.58.xxx.xxx 217.67.20.134 25 930 810
142.58.xxx.xxx 63.240.161.100 25 1,674 0
142.58.xxx.xxx 216.113.194.65 25 1,488 0
142.58.xxx.xxx 64.59.128.198 25 1,302 0
142.58.xxx.xxx 66.51.163.198 25 1,302 0
142.58.xxx.xxx 68.118.205.56 25 974 248
142.58.xxx.xxx 212.5.216.26 25 373 808
142.58.xxx.xxx 216.136.232.200 25 1,116 0
142.58.xxx.xxx 62.55.224.112 25 558 486
142.58.xxx.xxx 216.251.43.17 25 558 432
142.58.xxx.xxx 193.70.192.54 25 374 597
142.58.xxx.xxx 193.70.192.55 25 374 597
142.58.xxx.xxx 193.70.192.90 25 374 597
142.58.xxx.xxx 213.165.64.20 25 380 585
142.58.xxx.xxx 165.252.95.250 25 930 0
142.58.xxx.xxx 217.67.20.130 25 930 0
142.58.xxx.xxx 64.114.94.181 25 930 0
142.58.xxx.xxx 165.252.95.226 25 744 0
142.58.xxx.xxx 66.218.75.184 25 744 0
142.58.xxx.xxx 195.146.134.55 25 278 316
142.58.xxx.xxx 170.224.17.50 25 558 0
142.58.xxx.xxx 199.71.43.19 25 558 0
142.58.xxx.xxx 204.213.190.106 25 558 0
142.58.xxx.xxx 206.105.19.45 25 558 0
142.58.xxx.xxx 206.105.19.47 25 558 0
142.58.xxx.xxx 216.136.224.155 25 558 0
142.58.xxx.xxx 216.145.54.171 25 558 0
142.58.xxx.xxx 192.44.184.21 25 224 252
142.58.xxx.xxx 142.232.99.101 25 372 0
142.58.xxx.xxx 209.202.192.25 25 372 0
142.58.xxx.xxx 216.251.32.98 25 186 186
142.58.xxx.xxx 66.218.71.63 25 372 0
142.58.xxx.xxx 194.221.183.1 25 186 0
142.58.xxx.xxx 195.210.91.83 25 186 0
142.58.xxx.xxx 207.102.244.193 25 186 0
142.58.xxx.xxx 209.202.220.65 25 186 0
142.58.xxx.xxx 209.202.220.97 25 186 0
142.58.xxx.xxx 213.165.64.17 25 186 0
142.58.xxx.xxx 213.165.65.100 25 186 0
142.58.xxx.xxx 63.250.206.138 25 186 0
65.218.4.54 total traffic: 4,972,969
142.58.xxx.x 65.218.4.54 25 4,869,335 103,634
63.240.161.100 total traffic: 4,904,951
142.58.xxx.25 63.240.161.100 25 4,867,916 23,360
142.58.xxx.161 63.240.161.100 25 6,654 1,299
204.xxx.18.1 63.240.161.100 25 2,834 842
142.58.xxx.133 63.240.161.100 25 1,674 0
...
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list