WormWarner is a Perl script that is used to warn hosts that are probably infected by a worm. It decides wether a host is infected by analyzing the data from the Apache log files. It currently recognizes CodeRed, Nimda, the Linux.Slapper.Worm, and the FreeBSD.Scalper.worm. Warning is done by trying to contact the SMTP server on the infected host and sending an email to the postmaster.
|Operating Systems||POSIX Linux|
Release Notes: A test mode and the option to specify the mail server to use were added. This release also limits the size of an email message when the included log files make it to large. The patterns to detect a worm are now stored in a file, which makes it easier to add patterns. Some new patterns were added.
Release Notes: The scripts now use a GDBM database to keep statistics about the warnings that were sent. This database is also used for rate control to avoid sending too many warnings for the same IP. The ATD-Mass exploiter was added to the recognized attacks. The IP and timezone of the host which runs the script are included in messages to the ISP. Some small bugs were fixed.
Release Notes: A conflict with newer versions of the Mail::Sender module was fixed. A bug which caused wormwarner not to log for some specific email server problems was fixed.
Release Notes: Wormwarner now runs as a daemon which lets it respond within minutes after an infection attempt. The abuse.net database is queried before starting whois queries to find the email address of the ISP to warn. Code cleanups were also made.
Release Notes: This release features improved whois lookup functionality, and can now execute commands (which could be used to modify adaptive firewalls).