攻击排查脚本

jrhapt01:/usr/local/apache-tomcat-7.0.55_8081/logs> cat get_ip.sh 
 cat localhost_access_log.2015-07-13.txt  | grep '/web/noauth?method=%2Fvalidate%2Fcode%2Fsend&mobilePhone=' | grep '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}$'  | awk '{print $NF}' | 

sort -u

jrhapt01:/usr/local/apache-tomcat-7.0.55_8081/logs> cat rsync_ip.sh 
sh ./get_ip.sh >ip.txt
passwd=xxxxx
expect <<!
spawn rsync -avH ip.txt [email protected]:/root/sbin/
expect {
    "(yes/no)?" {
        send "yes\n"
        expect "password:"
        send "$passwd\n"
    }
        "password:" {
        send "$passwd\n"
    }
 }
expect eof
exit
!



use POSIX;  
#if ( $#ARGV < 0 ){  
#        print "please input your database name!\n";  
#                exit(-1);  
#                    }  
#my $name= $ARGV[0];
my $SDATE = strftime("%Y-%m-%d",localtime());
#@ip=`cat localhost_access_log.$SDATE.txt  | grep '/web/noauth?method=%2Fvalidate%2Fcode%2Fsend&mobilePhone=' | grep '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}$'  | awk '{print $NF}' | 

sort -u`;
$file="localhost_access_log.$SDATE.txt";
open (LOG ,"<","$file");  
                    while (<LOG>) {  
                    chomp; 
 if ($_ =~ /.* "GET\s*(.*?)=.*\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/){
 $url=$1;
$ip=$2;
 $log{$url}++;
 $hash{$ip}++;
}};

while(my($url, $times) = each %log) {  
                   print "$url count(*) ==   $times\n"};
while(my($ip, $times) = each %hash) {
                   print "$ip count(*) ==   $times\n"};