Location: PHPKode > scripts > worm > worm/worms.class.php
<?php

/*
*   +------------------------------------------------------------------------------+
*     worms : Analyse and return http worms attack detected on apache access logs
*   +------------------------------------------------------------------------------+
*     by Dynamix © 2002-2003 all rights reserved
*   +------------------------------------------------------------------------------+
*     OSI License : 
*	 GNU Lesser General Public License (LGPL)
*   +------------------------------------------------------------------------------+
*     Disclaimer Notice(s)
* 	 This copyright notice cannot be removed in any case, and should be included
*  	 in every Dynamix project or demo code.
*
*  	 The author isn't responsible of any damage could be caused by this software.
*  	 Use it at your own risk !
*
*   +------------------------------------------------------------------------------+
*     @todo a lot i guess :-)
*   +------------------------------------------------------------------------------+
*
*   +------------------------------------------------------------------------------+
*     @author Ben Yacoub Hatem	<hide@address.com>
*   +------------------------------------------------------------------------------+
*	  @version 1.0.0 20-04-2003 13:42:36 generated using DxPHPClassBuilder by Hatem
*     @url http://www.dynamix-tn.com
*
*/

	error_reporting(1);

	/**
	* Definition of Trigger Words
	*/
	define("TRIGGER1", "GET \/default\.ida\?NNNNNN" ); /* CodeRed I  */
	define("TRIGGER2", "GET \/default\.ida\?XXXXXX" ); /* CodeRed II */
	define("TRIGGER3", "GET \/scripts\/root\.exe" ); /* Nimda */
//	define("TRIGGER4", "" ); /* W32.Klez */

  class worms 
  {

	
      /**
      * @var	accesslog	
	  * @see 	_set_accesslog(), _get_accesslog()
	  * @access public
      */
      var $accesslog = "C:\apache\logs\access.log";
	
      /**
      * @var	hackers	
	  * @see 	_set_hackers(), _get_hackers()
	  * @access public
      */
      var $hackers = array();
	
      /**
      * @var	counter	
	  * @see 	_set_counter(), _get_counter()
	  * @access public
      */
      var $counter = array(
						"codered1"	=> 0,
						"codered2"	=> 0,
						"nimda"		=> 0
						);
      /**
      * @var	result
	  * @access public
      */
      var $result;
		

      /**
	  * Class worms constructor
	  */
      function worms()
      {

      }

	  /**
	  * Class worms Methods
	  */
      
      /**
	  * method get_apache_worms
	  *
	  * @param	none
	  *
	  * @return	result of anaylising worms on access log
	  * @access	public
	  */
      function get_apache_worms()
      {
			$fd = fopen($this->accesslog,"r"); 
		
			while ($x = fgets($fd,1024)) { 
				list($ip , , ,$time , $GMT, , , $f, , , $referer , ) = explode(" ", $x);
				if (ereg("/*.".TRIGGER1.".*/", $x, $parts))
				{
					$this->result .= "<b><font color=red>CodeRed I <small>WORM</small> Attack Detected</font></b> Hacker IP : <b>$ip</b> - Date : <b>$time $GMT</b><br>\n";
					array_push($this->hackers, $x);
					$this->counter[codered1]++;
				}
				
				if (ereg("/*.".TRIGGER2.".*/", $x, $parts))
				{
					$this->result .= "<b><font color=red>CodeRed II <small>WORM</small> Attack Detected</font></b> Hacker IP : <b>$ip</b> - Date : <b>$time $GMT</b><br>\n";
					array_push($this->hackers, $x);
					$this->counter[codered2]++;
				}
				
				if (ereg("/*.".TRIGGER3.".*/", $x, $parts))
				{
					$this->result .= "<b><font color=red>Nimda <small>WORM</small> Attack Detected</font></b> Hacker IP : <b>$ip</b> - Date : <b>$time $GMT</b><br>\n";
					array_push($this->hackers, $x);
					$this->counter[nimda]++;
				}
				
			}
			return $this->report();
      }
	  
	  /**
	  * Personalize the HTML report here
	  */
	  function report()
	  {
			
			$this->result .= "\n\n<br>
		<b>Apache Worms attack Analyser : </b><br><br>\n
		Number of worms attack detected : ".sizeof($this->hackers)." Attacks<br>\n
		N° CodeRed I Attacks: ".$this->counter[codered1]." Attacks<br>\n
		N° CodeRed II Attacks: ".$this->counter[codered2]." Attacks<br>\n
		N° Nimda Attacks: ".$this->counter[nimda]." Attacks<br>\n
			";
			
			return $this->result;
	  }

      

	  /**
	  * Class worms : Return privat class variables functions
	  */
      
      /**
	  * Return accesslog value
	  * 
	  * @return return accesslog	value
	  * @see var $accesslog
	  */
      function _get_accesslog()
      {
         return $this->accesslog;
      }

      
      /**
	  * Return hackers value
	  * 
	  * @return return hackers	value
	  * @see var $hackers
	  */
      function _get_hackers()
      {
         return $this->hackers;
      }

      
      /**
	  * Return counter value
	  * 
	  * @return return counter	value
	  * @see var $counter
	  */
      function _get_counter()
      {
         return $this->counter;
      }

      
	  
	  /**
	  * Class worms : Set privat class variables functions
	  */
      
	 /**
	 * Set $accesslog value
	 * @param $_accesslog	the variable value to set
	 * @see var $accesslog
	 */
      function _set_accesslog($_accesslog)
      {
         $this->accesslog = $_accesslog;
      }

      
	 /**
	 * Set $hackers value
	 * @param $_hackers	the variable value to set
	 * @see var $hackers
	 */
      function _set_hackers($_hackers)
      {
         $this->hackers = $_hackers;
      }

      
	 /**
	 * Set $counter value
	 * @param $_counter	the variable value to set
	 * @see var $counter
	 */
      function _set_counter($_counter)
      {
         $this->counter = $_counter;
      }

      
   }
   
$worm = new worms;
echo $worm->get_apache_worms();
?>
Return current item: worm