#!/bin/bash -x

# 
# Wormreport 1.0
# Paul Asadoorian (paul.com@brown.edu)
#
# Feel free to modify/copy whatever, just send me what you did! :)
#
# NOTES/Requirements: 
# 1) Rename to 'wormreport' if copying to /etc/cron.hourly on debian
# 2) Create config file and define email addresses, sep. by ","
# 3) Define excludes in 'egrep' syntax, like:
#    EXCLUDES=127\.0|192\.168
# 4) Make certain you are mirroring traffic to an interface!
# 5) You will need Amap version 4.6
#

#
# Define some variables
#
TESTPORTS=135,139,445
FILE=/var/log/worms.`date +%m.%d.%y`.out
HOSTS=0
PIDFILE=/var/run/wormreport.pid
AMAP=`which amap`
CONFIG=/usr/local/etc/wormexcludes.conf

#
# Read values from the config file (holy hack batman!)
#
EMAIL=`grep "EMAIL" $CONFIG | cut -d"=" -f2`
IPEXCLUDE=`grep "EXCLUDES" $CONFIG | cut -d"=" -f2`

#
# Make sure wormreport isn't already running
#
if [ -e $PIDFILE ]; then
        cat $PIDFILE | mail -s "Wormreport ($DATE) 0 Found Wormreport already running" $EMAIL
	exit 1
fi

#
# Write da PID yo
#
echo $$ > $PIDFILE

#
# Grab some traffic known to be associated with worms and malicious activity
#
IPLIST=`tcpdump -c 100 -i eth1 -nn src net 128.148.0.0/16 and dst port 445 or port 6667 or port 7000 | cut -d" " -f 3 | cut -d"." -f 1,2,3,4 | sort | uniq`

#
# Tell everyone what we are doin, okaaaaaay!
#
echo -e "The following hosts were found doing bad things:\n$IPLIST\n" > $FILE

#
# Use nmap to 'ping' all hosts given to us
#
nmap -T Aggressive -oG /tmp/nmap.out -PB$TESTPORTS -sP $IPLIST > /tmp/nmapcrap.out 2>&1

#
# Parse  the nmap results and grab IP addresses
#
TARGETS=`grep "Host\:" /tmp/nmap.out | awk '{print $2}' | grep "128\.148\." | egrep -v $IPEXCLUDE `


#
# Tell everyone which hosts we found alive
#
echo -e "The following hosts were alive and will be scanned:\n$TARGETS\n" >> $FILE

#
# Scan all live hosts and grab all banners
# Also keep track of how many hosts we scan
#
for i in $TARGETS ; do

	echo "" >> $FILE
	echo "***** Banner Grabbing $i *****" >> $FILE
	$AMAP -U -q -B $i 1-65535 >> $FILE
	let HOSTS=$HOSTS+1

done

#
# Send Email, Holla!
#
if [ $HOSTS != "0" ]; then
	mail -s "Worm Report - `date` $HOSTS Found" $EMAIL < $FILE
fi

# Clean-up
rm /tmp/nmap.out
rm /tmp/nmapcrap.out
rm $FILE
rm $PIDFILE