Mailing List Archive: 49091 messages
  • Home
  • Script library
  • AltME Archive
  • Mailing list
  • Articles Index
  • Site search
 

[REBOL] virus-ip-scan

From: petr::krenzelok::trz::cz at: 12-May-2004 9:27

Hi, I build small but usefull script for my own purpose to allow me to scan network for possibly infected computers. It is new/rewritten version of my old script, which contained IP adresses hardcoded. Now they are abstracted. I have also one question, hopefully answered by Romano or Gabriele, but I would not mind answer by anyone else ... - what I have removed from script was request to dns://ip-here, because it lasted too long. So I only ask for computer-name via dns:// if possible virus is found. I know there is async dns possibility via dns:///, but I don't know how should I track it, so .... - it does not try to communicate with opened port - it only tries to open tcp port, and if successfull, it regards such machine as being infected - it does only tcp check, I was lazy to abstract i further and scan for UDP opened ports if any virus uses them, but I could add it :-) - don't set timeout too low. I tried with 0.1, so hopefully on local network it is ok, but you simply risk that if answer is not fast enough, it will time-out and in fact such machine could be infected ... - now for ranges of IP adresses: block of four integers or subblocks. Examples: 172 25 7 [0 255] ; scan all range on 172.25.7 network 172 25 7 [20 40 61 61 128 200] ; scans only 20 - 40, 61, 128-200 ranges on 172.25.7 network 172 25 [7 10] [0 255] ; scans 172.25.7-10 networks, from 0-255 [0 255] [0 255] [0 255] [0 255] ; NEVER try that :-) PS: as always - my code is probably far from optimal, but it hopefully does the job :-) Now the script: REBOL [] system/schemes/default/timeout: 0.1 if exists? %virus-ip-scan.log [delete %virus-ip-scan.log] log: func [text][ print text write/append %virus-ip-scan.log join reduce text newline ] IP-ranges: [ 172 25 7 [0 255] 172 25 37 [0 255] 172 25 14 [0 255] ] virus-ports: [ Sasser [1022 1023 4445 5554 9996] Blaster [4444] ] IPs-to-check: copy [] log ["Start at: " now] log "Generating IP ranges ..." foreach [IP1 IP2 IP3 IP4] IP-ranges [ if integer? IP1 [IP1: copy reduce [IP1 IP1]] foreach [min-IP1 max-IP1] IP1 [ for IP-1 min-IP1 max-IP1 1 [ if integer? IP2 [IP2: copy reduce [IP2 IP2]] foreach [min-IP2 max-IP2] IP2 [ for IP-2 min-IP2 max-IP2 1 [ if integer? IP3 [IP3: copy reduce [IP3 IP3]] foreach [min-IP3 max-IP3] IP3 [ for IP-3 min-IP3 max-IP3 1 [ if integer? IP4 [IP4: copy reduce [IP4 IP4]] foreach [min-IP4 max-IP4] IP4 [ for IP-4 min-IP4 max-IP4 1 [ append IPs-to-check to-tuple reduce [IP-1 IP-2 IP-3 IP-4] ] ] ; IP4 ] ] ; IP3 ] ] ; IP2 ] ] ; IP1 ] ; main loop ... log "Checking ..." foreach IP IPs-to-check [ report: copy "" start: now/time foreach [virus ports] virus-ports [ infected-by: copy [] foreach port ports [ if attempt [user: open join tcp:// reduce [IP ":" port]][ if not found? find head infected-by virus [append infected-by virus] attempt [close user] ] ] ; ports ] ; virus either empty? infected-by [ append report rejoin [now/time - start ": " IP ": OK"] log report ][ append report rejoin [IP " (user: " either none? u: read join dns:// IP ["unknown"][u] "): "] append report form infected-by insert report join "" [now/time - start ": "] log report clear infected-by ] ] ; IP (user) log ["End of check at: " now]