:::::::::::::: run-ponmocup-finder.sh :::::::::::::: #!/bin/bash cd /var/www/pub/botnet/ponmocup/ponmocup-finder/ echo "# date started: `date`" if [[ $# -lt 1 ]]; then mv ponmocup-finder-log-latest.txt ponmocup-finder-log-`date +%Y-%m-%d`.txt mv ponmocup-infected-domains-latest.txt ponmocup-infected-domains-`date +%Y-%m-%d`.txt mv *_wget_log.txt _wget-logs-backup else echo "not moving latest files!" fi cp ponmocup-infected-domains-latest_header.txt ponmocup-infected-domains-latest.txt ./ponmocup-finder.sh ponmocup-suspicious-domains-latest.txt | tee ponmocup-finder-log-latest.txt cat ponmocup-finder-log-latest.txt | egrep "(^date | INFECTED)" >> ponmocup-infected-domains-latest.txt cp /var/www/pub/malware-feeds/ponmocup-infected-domains-CIF-header.txt /var/www/pub/malware-feeds/ponmocup-infected-domains-CIF-latest.txt echo "# last updated: `date`" >> /var/www/pub/malware-feeds/ponmocup-infected-domains-CIF-latest.txt echo "#" >> /var/www/pub/malware-feeds/ponmocup-infected-domains-CIF-latest.txt cat ponmocup-infected-domains-latest.txt | egrep "( INFECTED)" | awk '{ print $14" "$12" "$9" "$3 }' | sed -e 's/failed:/0.0.0.0/g' | sed -e 's/, / /g' | sort >> /var/www/pub/malware-feeds/ponmocup-infected-domains-CIF-latest.txt cat ponmocup-finder-log-latest.txt | egrep "(^date | INFECTED)" | egrep "(^date |\.ch |\.li )" > ponmocup-infected-domains-latest_CH-LI.txt cat ponmocup-finder-log-latest.txt | egrep "(^date | INFECTED)" | egrep "(^date |\.de )" > ponmocup-infected-domains-latest_DE.txt egrep "(INFECTED| started)" ponmocup-infected-domains-{201?-??-??,latest}.txt | sed -e 's/ponmocup-infected-domains-//g' | sed -e 's/\.txt:/ /g' > ponmocup-infected-domains-history.txt cat ponmocup-infected-domains-history.txt | egrep "INFECTED" | awk '{ print $4 }' | sort | uniq > ponmocup-infected-domains-history-uniq.txt cat ponmocup-infected-domains-history.txt | egrep "INFECTED" | awk '{ print $4 }' | sort | uniq -c | sort -nr > ponmocup-infected-domains-history-uniq-c.txt cat ponmocup-infected-domains-history-uniq.txt | while read domain; do grep $domain ponmocup-infected-domains-history.txt > history_${domain} ; first=`cat history_${domain} | head -1 | cut -d" " -f1`; last=`cat history_${domain} | tail -1 | cut -d" " -f1`; echo "$domain - infected first seen: $first - last seen: $last" | sed -e "s/ latest/ `date +%Y-%m-%d`/g" ; rm history_${domain} ; done > ponmocup-infected-domains-history-uniq-infected-days.txt #cat ponmocup-infected-domains-history-uniq.txt | while read domain; do echo -ne "$domain - "; grep $domain ponmocup-infected-domains-history.txt | cut -d" " -f1 | xargs ; done > ponmocup-infected-domains-history-uniq-infected-days.txt cat ponmocup-infected-domains-history-uniq-infected-days.txt | egrep "(\.ch )" > ponmocup-infected-domains-history-uniq-infected-days_CH.txt cat ponmocup-infected-domains-history-uniq-infected-days.txt | egrep "(\.de )" > ponmocup-infected-domains-history-uniq-infected-days_DE.txt echo "# date finished: `date`" :::::::::::::: ponmocup-finder.sh :::::::::::::: #!/bin/bash cd /var/www/pub/botnet/ponmocup/ponmocup-finder/ echo "date started: `date`" cat $1 | \ while read domain; do echo -ne "checking domain: $domain --> "; wget -Sv --tries=1 --connect-timeout=3 --read-timeout=3 --dns-timeout=10 --user-agent="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 Ponmocup-Finder_v1" --referer="http://www.google.com/search?q=ponmocup-finder+check" http://${domain}/ -O ${domain}_out.txt > ${domain}_wget_log.txt 2>&1 redir=`egrep -m 1 "Location: " ${domain}_wget_log.txt` ## match=`echo $redir | egrep "(/url\?sa=|/cgi-bin/r.cgi\?p=)" | wc -l` match=`echo $redir | cut -d"?" -f2- | egrep "$domain" | wc -l` if [ $match -gt 0 ] then redir_dom=`egrep -m 2 "Resolving " ${domain}_wget_log.txt | tail -1 | sed -e 's/\.\.\./ /g' | cut -d" " -f2` redir_dom2=`echo $redir | cut -d"/" -f3` if [ $domain != $redir_dom ] then echo -ne "seems to be INFECTED: " echo -ne `echo $redir | cut -d" " -f2 | cut -d"?" -f1` egrep -m 2 "Resolving " ${domain}_wget_log.txt | tail -1 | sed -e 's/Resolving/ --> DNS:/g' | sed -e 's/\.\.\./ \//g' else echo "seems to be CLEAN (false-positive detected)" fi else echo "seems to be CLEAN" rm ${domain}_out.txt mv ${domain}_wget_log.txt _wget-logs-clean fi done echo "date finished: `date`"