#!/bin/sh

#
# Nimda Spammer             (c) Edwin Groothuis
# v1.1                      edwin@mavetju.org, http://www.mavetju.org
# $Id: nimdaspammer,v 1.4 2001/09/26 00:00:42 mavetju Exp $
#
# See http://www.mavetju.org/download/LICENSE for the usage and
# distribution license.
#
# This program takes as argument one or more hostnames from the same domain,
# for example: "nimdaspammer www.mavetju.org k7.mavetju.org".
#
# It will take the following actions:
# - If the first argument is an IP address, it will take the contact-name
#   from the SOA record from the in-addr.arpa from the IP address
#   and use that as if the first argument for the rest of this program.
#   For example: The contact-data for 1.2.3.4 via 4.3.2.1.in-addr.arpa
#   is hostmaster@mavetju.org. That's one email address. Further
#   we use xxx.mavetju.org as input for the rest of the program.
#
# - From the first argument, it will take the domain and see how
#   much subdomains can be added to it.
#   For example, if we have host xxx.yyy.mavetju.org, we can make
#   domains yyy.mavetju.org and mavetju.org from it. It tries to be
#   smart and to keep in mind that certain ccTLDs have TLD-alike
#   construction, so that www.mavetju.org.au doesn't reproduce org.au.
#
# - For all the generated domains it will add abuse@, hostmaster@,
#   postmaster@ and webmaster@ to the mailing-list.
#
# - It will check the SOA record for the domain and take the
#   contact data from it.
#
# - It will try to get data from the whois-database about the domain.
#
# - It will filter out some addresses like *nic.net, ripe.net, arin.net.
#   I don't believe these people want to be spammed by this.
#
# - It will for every hosts print what the last entry in the logfile is.
#
# Hints:
#
# - Be prepared on lots of bounces. See
#   http://www.mavetju.org/networking/whymailfails.phtml for a description
#   of things which will go wrong.
#
# - Don't expect too much responses. If you're lucky you will get
#   autoreplies from abuse-addresses, if you're very lucky sombody
#   will answer you. Everybody who answered me personally, thanks!
#
# - Check the values here below: TIMEZONE, WWWLOG and NAME.
#
# - FRIENDS can be extended where needed. Please tell me.
#
# - If you check the perl-script (search for 'tw') you see a list
#   of ccTLDs. These are the ccTLDs which have a TLD.ccTLD-like structure.
#   If you find a new one, please add it to there and tell me.
#
# - Scan your logfiles once a day:
#   for i in `egrep "(/scripts/root.exe\?/c+dir|/MSADC/root.exe\?/c+dir)" ../www/log/access_log | grep <day>\/<mon> |
#   awk '{ print $1 }' | sort | uniq`; do nimdaspam $i; done
#   For example: grep 09\/Aug 
#   Or use the mailnimda-script for this.
#

#
# my timezone
#
TIMEZONE="UTC+10"

#
# where is the www-log stored
#
WWWLOG="/home/www/log/access_log"

#
# what is my name
#
NAME="Edwin"

#
# who are friends?
#
FRIENDS="arin.net ripe.net nic.or.kr nic.net.sg idnic.net.id"

# no user servicable parts below this

hosts=$*
hostname=$1

getsoa () {
	# in: domain
	# out: email address of soa record
	soa=`dig $domain soa | grep -w "IN SOA" | awk '{ print $6 }' | sed -e 's/\./@/' | sed -e 's/\.$//'`
	if [ -z "`echo $soa | grep '@.*\.'`" ]; then
		echo "(broken SOA data: $soa)"
		soa=""
	fi
}

getdomains () {
	# in: hostname
	# out: domains
	domains=`A=$hostname perl -we '
		%tld=( "au"=>1, "tw"=>1, "kr"=>1, "uk"=>1,
		       "th"=>1, "sg"=>1, "in"=>1, "cn"=>1,
		       "nz"=>1
		       );
		@w=();@a=split(/\./,$ENV{A});
		foreach $a (@a) {
			for ($i=0;$i<=$#w;$i++) {
				$w[$i].=".$a"
			}
			next if (defined $tld{$a});
			push(@w,$a);
		}
		pop(@w);
		shift(@w);
		foreach $w (@w) {
			print $w," ";
		}'
	`
}

getspam() {
	# in: domains
	# out: who, domain
	set $domains
	who=""
	while [ ! -z "$1" ]; do
		d="$1."

		#
		# Sending mail is pretty boring if there are no A or MX records
		#
		if [ -z "`dig $d mx | grep ^$d | grep 'IN MX.`" -a \
		     -z "`dig $d a | grep ^$d | grep 'IN A'`" ]; then
		    echo "(no MX nor A for $d)"
		    shift
		    continue
		fi

		who="$who abuse@$1 hostmaster@$1 webmaster@$1 postmaster@$1"
		domain=$1
		shift
	done
}

getwhois() {
	# in: domain
	# out: whois
	whoist=`whois $domain | grep @`
	echo whoist: $whoist

	if [ -z "$whoist" ]; then
		echo "(whois failed)"
		return
	fi

	set $whoist
	whois=""
	while [ ! -z "$1" ]; do
		#
		# only entries with a @ in it
		#
		if [ ! -z "`echo $1 | grep @`" ]; then
			whois="$whois $1"
		fi
		shift
	done
}

if [ -z "`echo $hostname | grep -i [A-Z]`" ]; then
	echo "getting something of $hostname"
	#
	# we only have a hostname. get the data from the SOA record and pray.
	#
	set `echo $hostname | sed -e 's/\./ /g'`
	domain="$4.$3.$2.$1.in-addr.arpa"
	getsoa
	echo soa: $soa
	soa_ip=$soa

	#
	# convert user@domain into domain
	#
	hostname="bogus.`echo $soa | sed -e 's/^.*@//'`"
fi

getdomains
echo domains: $domains

if [ -z "$domains" ]; then
	echo "(No domains found, giving up)"
	exit
fi

# set the domains
getspam
if [ -z "$domain" ]; then
	echo "(couldn't find any information about this domain, giving up)"
	exit
fi

echo domain: $domain

#
#
#
# Get information from SOA record
#
getsoa
echo soa: $soa

#
#
#
# Get information from WHOIS
#

getwhois
echo whois: $whois


#
# Link all email addresses together
#
set `echo $who $soa $whois $soa_ip | fmt 1 | sort | uniq`
who=""
while [ ! -z "$1" ]; do
	name=$1
	#
	# email address are ...@...[a-zA-Z]
	#
	while [ ! -z "$name" -a -z "`echo $name | grep -i '[a-z]$'`" ]; do
		name=`echo $name | sed -e 's/.$//'`
	done

	#
	# be friendly to nic.net-people
	#
	if [ ! -z "`echo $name | grep -i 'NIC.NET$'`" ]; then
		echo "($name skipped, it's a *nic.net)"
		name=""
	fi

	#
	# be friendly to some people
	#
	for i in $FRIENDS; do
		if [ ! -z "`echo $name | grep -i $i$`" ]; then
			echo "($name skipped, it's a friend)"
			name=""
			break
		fi
	done

	who="$who $name"
	shift
done

if [ -z "`echo $who | grep @`" ]; then
	echo "(nobody to mail, giving up)"
	exit
fi

#
#
#
# Add hosts to the email
#
echo "\
One of your machines has been infected with the Nimda worm.
Please read the CERT advisory about the Nimda worm and patch
your IIS server.

http://www.cert.org/advisories/CA-2001-26.html
http://www.microsoft.com/technet/security/bulletin/MS01-044.asp
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

The machines I'm talking about are (the time is $TIMEZONE):" > /tmp/nimda.mail

# add the hosts.
set $hosts
hosts=""
while [ ! -z "$1" ]; do
	echo "- http://$1/" >> /tmp/nimda.mail
	echo "  `grep $1 $WWWLOG | tail -1`" >> /tmp/nimda.mail
	echo "$1 ::	`date`" >> /tmp/nimdasent
	shift
done

echo "
$NAME

ps. I didn't hack/infect your machines. I saw the hostname in the
    log of my webserver.
ps. If you need more information, feel free to reply.

--" >> /tmp/nimda.mail

test -f $HOME/.signature && cat $HOME/.signature >> /tmp/nimda.mail

echo "mailto:$who"

mail -s "One of your webservers is infected/hacked (Nimda worm)" $who < /tmp/nimda.mail

echo "mail sent!"
