Menú

Mostrar Mensajes

Esta sección te permite ver todos los mensajes escritos por este usuario. Ten en cuenta que sólo puedes ver los mensajes escritos en zonas a las que tienes acceso en este momento.

Mostrar Mensajes Menú

Temas - ksha

Páginas1
#1
Batch - Bash / Aplicando filtros en la salida
Marzo 02, 2011, 03:16:27 PM
hola muchachos quizas aun no se acostumbran mucho a linux, osea yo diria que a las consolas, por mi parte prefiero utilizar comandos para todo y es asi como he aprendido durante estos años.

supongamos que tenemos un file llamado errores el cual tiene mucha basura y queremos solamente rescatar lo que queremos.
que seria unos ips para luego agregarlos a un filtro que baniara a esos ips (el ban seria para otro doc mas trabajado).

errores
Código: php

[Tue Mar 01 00:25:43 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/db
[Tue Mar 01 00:25:43 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/db
[Tue Mar 01 00:25:43 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/db
[Tue Mar 01 00:25:43 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/db
[Tue Mar 01 00:25:44 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/db
[Tue Mar 01 00:25:44 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.11.8.1-all-languages-utf-8-only
[Tue Mar 01 00:25:44 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.11.8.1-all-languages
[Tue Mar 01 00:25:44 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.11.7.1-all-languages-utf-8-only
[Tue Mar 01 00:25:45 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.11.7.1-all-languages
[Tue Mar 01 00:25:45 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.11.6-all-languages
[Tue Mar 01 00:25:45 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.11.5.1-all-languages
[Tue Mar 01 00:25:45 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/administrator
[Tue Mar 01 00:25:46 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/administrator
[Tue Mar 01 00:25:46 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/administrator
[Tue Mar 01 00:25:46 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/administrator
[Tue Mar 01 00:25:46 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/administrator
[Tue Mar 01 00:25:46 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/administrator
[Tue Mar 01 00:25:47 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/administrator
[Tue Mar 01 00:25:47 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin2
[Tue Mar 01 00:25:47 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2
[Tue Mar 01 00:25:47 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/php-my-admin
[Tue Mar 01 00:25:48 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.2.3
[Tue Mar 01 00:25:48 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.2.6
[Tue Mar 01 00:25:48 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.5.1
[Tue Mar 01 00:25:48 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.5.4
[Tue Mar 01 00:25:48 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.5.5-rc1
[Tue Mar 01 00:25:49 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.5.5-rc2
[Tue Mar 01 00:25:49 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.5.5
[Tue Mar 01 00:25:49 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.5.5-pl1
[Tue Mar 01 00:25:49 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.5.6-rc1
[Tue Mar 01 00:25:50 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.5.6-rc2
[Tue Mar 01 00:25:50 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.5.7
[Tue Mar 01 00:25:51 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.5.7-pl1
[Tue Mar 01 00:25:51 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.6.0-alpha
[Tue Mar 01 00:25:52 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.6.0-alpha2
[Tue Mar 01 00:25:52 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.6.0-beta1
[Tue Mar 01 00:25:52 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.6.0-beta2
[Tue Mar 01 00:25:53 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.6.0-rc1
[Tue Mar 01 00:25:53 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.6.0-rc2
[Tue Mar 01 00:25:54 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.6.0-rc3
[Tue Mar 01 00:25:54 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.6.0
[Tue Mar 01 00:25:55 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.6.0-pl1
[Tue Mar 01 00:25:55 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.6.0-pl2
[Tue Mar 01 00:25:56 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.6.0-pl3
[Tue Mar 01 00:25:56 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.6.1-rc1
[Tue Mar 01 00:25:57 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.6.1-rc2
[Tue Mar 01 00:25:57 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.6.1
[Tue Mar 01 00:25:58 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.6.1-pl1
[Tue Mar 01 00:25:58 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.6.1-pl2
[Tue Mar 01 00:25:58 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.6.1-pl3
[Tue Mar 01 00:25:59 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.6.2-rc1
[Tue Mar 01 00:25:59 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.6.2-beta1
[Tue Mar 01 00:26:00 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.6.2
[Tue Mar 01 00:26:00 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.6.2-pl1
[Tue Mar 01 00:26:01 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.6.3
[Tue Mar 01 00:26:01 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.6.3-rc1
[Tue Mar 01 00:26:02 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.6.3-pl1
[Tue Mar 01 00:26:02 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.6.4-rc1
[Tue Mar 01 00:26:03 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.6.4-pl1
[Tue Mar 01 00:26:03 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.6.4-pl2
[Tue Mar 01 00:26:03 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.6.4-pl3
[Tue Mar 01 00:26:04 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.6.4-pl4
[Tue Mar 01 00:26:04 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.6.4
[Tue Mar 01 00:26:05 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.7.0-beta1
[Tue Mar 01 00:26:05 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.7.0-rc1
[Tue Mar 01 00:26:06 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.7.0-pl1
[Tue Mar 01 00:26:06 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.7.0-pl2
[Tue Mar 01 00:26:07 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.7.0
[Tue Mar 01 00:26:07 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.8.0-beta1
[Tue Mar 01 00:26:08 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.8.0-rc1
[Tue Mar 01 00:26:08 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.8.0-rc2
[Tue Mar 01 00:26:09 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.8.0
[Tue Mar 01 00:26:09 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.8.0.1
[Tue Mar 01 00:26:10 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.8.0.2
[Tue Mar 01 00:26:10 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.8.0.3
[Tue Mar 01 00:26:10 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.8.0.4
[Tue Mar 01 00:26:11 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.8.1-rc1
[Tue Mar 01 00:26:11 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.8.1
[Tue Mar 01 00:26:12 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.8.2
[Tue Mar 01 00:26:12 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.8.3
[Tue Mar 01 00:26:13 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.8.4
[Tue Mar 01 00:26:13 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.9
[Tue Mar 01 00:26:14 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.9.1
[Tue Mar 01 00:26:14 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.9.2
[Tue Mar 01 00:26:15 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.9-rc1
[Tue Mar 01 00:26:15 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.11.1
[Tue Mar 01 00:26:19 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.11.4
[Tue Mar 01 00:26:19 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-3.3.4
[Tue Mar 01 00:26:19 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-3.3.4-rc1
[Tue Mar 01 00:26:20 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-3.3.5
[Tue Mar 01 00:26:20 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-3.3.5-rc1
[Tue Mar 01 00:26:21 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/p
[Tue Mar 01 00:26:21 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/PMA2005
[Tue Mar 01 00:26:22 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/pma2005
[Tue Mar 01 00:26:22 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpmanager
[Tue Mar 01 00:26:23 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/PMA2009
[Tue Mar 01 00:26:23 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/pma2009
[Tue Mar 01 00:26:24 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/PMA2010
[Tue Mar 01 00:26:24 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/pma2010
[Wed Mar 02 06:35:14 2011] [error] [client 205.234.236.28] File does not exist: /home/vhosts/underc0de.org/user


Primeramente antes de realizar el parser hay que ver que caracter tenemos en comun entre toda esta mierda.
por lo que veo a primera vista serian los espacios. antes de hacer una regla general hago siempre un head que me mostrara la primera parte del archivo, por que hago eso ? por la simple razon que cuando le das un cat a un archivo superior a 20 mb te llenara la pantalla con mierda y posiblemente llegues a dosear tu server.

Código: php

ksha@warbof:~$ head errores 
[Tue Mar 01 00:25:43 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/db
[Tue Mar 01 00:25:43 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/db
[Tue Mar 01 00:25:43 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/db
[Tue Mar 01 00:25:43 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/db
[Tue Mar 01 00:25:44 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/db
[Tue Mar 01 00:25:44 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.11.8.1-all-languages-utf-8-only
[Tue Mar 01 00:25:44 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.11.8.1-all-languages
[Tue Mar 01 00:25:44 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.11.7.1-all-languages-utf-8-only
[Tue Mar 01 00:25:45 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.11.7.1-all-languages
[Tue Mar 01 00:25:45 2011] [error] [client 81.255.221.109] File does not exist: /home/vhosts/underc0de.org/phpMyAdmin-2.11.6-all-languages


empezando a parsear
Código: php

ksha@warbof:~$ head errores | awk -F' ' '{print $1}'
[Tue
[Tue
[Tue
[Tue
[Tue
[Tue
[Tue
[Tue
[Tue
[Tue


pero por que me sale solo eso ? por que con awk puse como delimitador el espacio (awk -F' ') ahora solo tienen que contar para llegar a la parte que necesitamos.

Código: php
ksha@warbof:~$ head errores | awk -F' ' '{print $8}'
81.255.221.109]
81.255.221.109]
81.255.221.109]
81.255.221.109]
81.255.221.109]
81.255.221.109]
81.255.221.109]
81.255.221.109]
81.255.221.109]
81.255.221.109]


ahora solo nos queda el quitar el ]

se puede hacer de varias maneras a mi me gusta mas utilizar expresiones regulares aunque podriar utilizar cut u otros.

Código: php
ksha@warbof:~$ head errores | awk -F' ' '{print $8}' | sed -e 's/]//g'
81.255.221.109
81.255.221.109
81.255.221.109
81.255.221.109
81.255.221.109
81.255.221.109
81.255.221.109
81.255.221.109
81.255.221.109
81.255.221.109


pero nos faltaria quitar las repetidas ? por supuesto muchachos. primero debemos ordenar (sort) y luego dejar solo las unicas (uniq). veamos como se veria el src.

Código: php

ksha@warbof:~$ head errores | awk -F' ' '{print $8}' | sed -e 's/]//g' | sort | uniq
81.255.221.109


pero vemos solo un ip y eran varias, por supuesto no se olviden de reemplazar el head por cat y veran la salida completa.

Código: php
ksha@warbof:~$ cat errores | awk -F' ' '{print $8}' | sed -e 's/]//g' | sort | uniq 
205.234.236.28
81.255.221.109


bueno son pocos solo puse un extracto del archivo real

que serian estos.

Código: php

109.43.235.186
110.138.101.12
113.111.197.61
114.80.93.71
123.125.71.31
123.125.71.47
124.115.1.8
124.13.222.25
125.53.7.80
151.51.60.73
174.127.132.156
174.127.132.159
174.127.132.161
178.217.164.97
186.10.116.221
186.10.249.83
186.104.181.79
186.104.81.14
186.110.27.37
186.112.60.32
186.113.96.26
186.124.17.86
186.140.246.107
186.24.20.1
186.41.71.128
186.42.157.1
186.43.88.5
186.58.0.34
186.59.22.146
186.60.131.71
186.62.132.67
186.80.147.98
186.84.152.105
187.131.179.69
187.144.29.3
187.145.96.224
187.159.115.147
187.159.153.240
187.159.32.115
187.198.130.69
188.40.124.153
189.129.82.41
189.131.177.199
189.131.212.83
189.134.172.134
189.139.142.210
189.139.84.226
189.143.127.244
189.156.93.26
189.161.133.171
189.165.26.62
189.166.67.194
189.168.184.156
189.171.86.163
189.174.126.208
189.174.141.116
189.177.109.177
189.177.183.211
189.179.215.33
189.183.49.110
189.187.211.24
189.188.239.51
189.191.47.233
189.193.20.145
189.193.63.235
189.196.104.17
189.196.3.168
189.200.56.63
189.203.87.218
189.212.168.214
189.214.24.203
189.216.140.211
189.216.150.45
189.216.253.56
189.216.76.79
189.217.244.99
189.220.2.132
189.223.0.29
189.225.169.220
189.231.176.113
189.245.48.13
189.247.220.189
189.248.106.112
189.35.202.233
190.100.159.155
190.118.21.101
190.13.140.102
190.139.100.18
190.140.239.245
190.148.21.78
190.151.95.26
190.157.178.179
190.159.31.105
190.161.226.115
190.162.182.120
190.166.146.113
190.174.138.202
190.179.187.51
190.179.189.235
190.188.13.101
190.192.161.197
190.196.8.42
190.200.217.116
190.201.142.148
190.208.99.225
190.210.117.201
190.228.23.130
190.234.14.7
190.235.113.126
190.235.82.237
190.24.174.103
190.248.81.3
190.31.158.212
190.38.183.209
190.41.10.247
190.41.203.20
190.42.172.180
190.46.45.29
190.51.249.191
190.55.107.100
190.6.195.163
190.66.72.211
190.67.28.138
190.73.130.112
190.75.242.146
190.82.168.105
190.96.32.106
190.96.70.34
193.153.190.123
193.5.93.128
194.48.133.8
195.117.88.247
200.116.188.1
200.117.83.29
200.120.40.165
200.123.162.165
200.14.67.37
200.28.91.177
200.29.151.82
200.30.249.71
200.33.8.196
200.38.82.100
200.75.51.148
200.76.52.115
200.88.176.129
200.88.179.160
200.89.69.3
200.92.247.254
201.110.228.50
201.124.46.28
201.140.80.139
201.144.243.199
201.145.7.203
201.155.36.249
201.161.22.66
201.164.156.125
201.170.120.83
201.170.80.100
201.171.75.203
201.196.248.98
201.198.200.74
201.198.42.14
201.199.55.22
201.213.156.251
201.214.247.127
201.220.232.61
201.221.205.4
201.223.198.1
201.229.209.124
201.232.216.55
201.235.197.246
201.255.236.7
201.255.238.157
201.88.86.181
205.234.236.28
206.53.157.145
207.161.218.133
207.182.146.226
207.46.12.241
207.46.13.136
207.46.13.45
207.46.13.46
207.46.13.86
207.46.13.93
207.46.195.105
207.46.195.235
207.46.199.47
207.46.204.178
208.115.111.249
208.95.38.2
212.106.241.245
213.60.154.195
216.98.154.122
220.181.108.149
24.20.204.180
24.57.202.20
46.4.50.141
62.202.91.39
62.226.87.83
62.57.158.6
63.68.228.197
64.32.114.41
64.89.3.193
65.52.110.20
65.52.110.86
66.220.149.244
66.220.149.245
66.220.149.249
66.220.158.244
66.220.158.245
66.220.158.246
66.240.31.42
66.249.67.103
66.249.67.71
66.249.68.172
67.195.113.227
68.14.87.87
68.83.25.249
69.19.14.34
69.63.189.247
70.45.60.230
72.14.194.33
75.101.222.128
77.228.226.225
77.248.243.209
78.128.50.2
79.108.185.53
79.146.170.139
79.146.221.176
80.174.12.35
80.25.3.93
80.38.93.45
80.58.205.101
81.202.129.65
81.255.221.109
81.32.118.172
81.36.167.129
81.44.183.1
81.52.143.17
82.213.167.200
83.33.151.59
83.46.170.159
83.54.130.109
83.55.113.216
83.59.245.75
83.61.185.113
84.123.65.58
84.126.218.177
85.228.203.4
85.234.141.97
85.25.84.233
85.50.86.233
85.55.202.76
87.111.193.80
88.22.133.237
88.3.9.104
88.6.51.42
88.8.126.91
88.8.42.186
88.9.49.134
89.131.246.193
90.162.112.214
93.197.251.194
93.40.101.167
94.100.25.52
95.120.90.37
95.121.32.226
98.77.27.154


bueno cualquier duda sera contestada, recivo comentarios y ofertas de trabajo xD, obviamente esto es para que puedan jugar un poco con linea de comandos con una consola.

saludos
#2
C / C++ / Ideas para la programacion de w0rm's o malware en general
Marzo 01, 2011, 02:14:37 PM
Hola, como en un post anterior (No tienes permitido ver los links. Registrarse o Entrar a mi cuenta) mio parece que no se entendio el concepto les dejo un mini howto poc xD, a ver si les sirve para algo aun que sea para investigar mas. como no entrare en detalle por falta de tiempo ademas estoy escribiendo en el trabajo.

Ofuscacion: La ofuscación se refiere a encubrir el significado de una comunicación haciéndola más confusa y complicada de interpretar. No tienes permitido ver los links. Registrarse o Entrar a mi cuenta

Criptografia: La criptografía (del griego κρύπτω krypto, «oculto», y γράφω graphos, «escribir», literalmente «escritura oculta») es la técnica, bien sea aplicada al arte o la ciencia, que altera las representaciones lingüísticas de un mensaje. No tienes permitido ver los links. Registrarse o Entrar a mi cuenta

Para comprender completamente este documento deberan leer sobre asm basico, syscall's y manejar C a bajo nivel tanto asi como estructuras, manejo de memoria dinamica y punteros.

basta de charla y vamos a la accion.

tenemos el siguiente codigo fuente el cual imprime un texto.

normal.c
Código: c
#include <stdio.h>

int main()
{
	printf("Codigo Normal\n");
	return 0;
}


Lo compilaremos sin optimizacion + gdb

Código: php
ksha@warbof:~/dev/c/ofus$ gcc -ggdb -O0 -o normal normal.c 
ksha@warbof:~/dev/c/ofus$ ./normal
Codigo Normal
ksha@warbof:~/dev/c/ofus$


codigo disas
Código: php
080483c4 <main>:
#include <stdio.h>

int main()
{
 80483c4:	55                   	push   %ebp
 80483c5:	89 e5                	mov    %esp,%ebp
 80483c7:	83 e4 f0             	and    $0xfffffff0,%esp
 80483ca:	83 ec 10             	sub    $0x10,%esp
	printf("Codigo Normal\n");
 80483cd:	c7 04 24 a0 84 04 08 	movl   $0x80484a0,(%esp)
 80483d4:	e8 1f ff ff ff       	call   80482f8 <puts@plt>
	return 0;
 80483d9:	b8 00 00 00 00       	mov    $0x0,%eax
}
 80483de:	c9                   	leave  
 80483df:	c3                   	ret   


si analizamos el binario simplemente nos mostraria la informacion del printf o cadena depende del caso y que uso se le de.
Código: php

ksha@warbof:~/dev/c/ofus$ strings normal
/lib/ld-linux.so.2
__gmon_start__
libc.so.6
_IO_stdin_used
puts
__libc_start_main
GLIBC_2.0
PTRh
[^_]
Codigo Normal
ksha@warbof:~/dev/c/ofus$


si por ejemplo ponen cadenas con los procesos Av mas comunes seran detectados rapidamente.

veamos el primer ejemplo de ofuscacion.

NOTA: debes saber C avanzado para enterder algunas lineas del codigo.

ofus1.c
Código: c
extern int printf(__const char *__restrict __format, ...); 

int main()
{
	printf("Codigo Normal\n");
	return 0;
}


Código: php
ksha@warbof:~/dev/c/ofus$ gcc -ggdb -O0 -o ofus1 ofus1.c   
ksha@warbof:~/dev/c/ofus$ ./ofus1
Codigo Normal


revizando las cadenas ...

Código: php

ksha@warbof:~/dev/c/ofus$ strings ofus1
/lib/ld-linux.so.2
__gmon_start__
libc.so.6
_IO_stdin_used
puts
__libc_start_main
GLIBC_2.0
PTRh
[^_]
Codigo Normal
ksha@warbof:~/dev/c/ofus$


disasm
Código: php

080483c4 <main>:

int main()
{
 80483c4:	55                   	push   %ebp
 80483c5:	89 e5                	mov    %esp,%ebp
 80483c7:	83 e4 f0             	and    $0xfffffff0,%esp
 80483ca:	83 ec 10             	sub    $0x10,%esp
	printf("Codigo Normal\n");
 80483cd:	c7 04 24 a0 84 04 08 	movl   $0x80484a0,(%esp)
 80483d4:	e8 1f ff ff ff       	call   80482f8 <puts@plt>
	return 0;
 80483d9:	b8 00 00 00 00       	mov    $0x0,%eax
}
 80483de:	c9                   	leave  
 80483df:	c3                   	ret   


veamos con el src normal que tal va

normal.c
Código: c
#include <stdio.h>

char *decrypt( char *str)
{
	char *pos = str ;

	while( *pos != 0)
	{
		*pos ^= ( char) 0x0FF ;
		pos++ ;
	}
	
	return str ;
}

char secret[]={	
				'C'		^ ( char) 0x0FF,
				'o'		^ ( char) 0x0FF,
				'd'		^ ( char) 0x0FF,
				'i'		^ ( char) 0x0FF,
				'g'		^ ( char) 0x0FF,
				'o'		^ ( char) 0x0FF,
				' '		^ ( char) 0x0FF,
				'N'		^ ( char) 0x0FF,
				'o'		^ ( char) 0x0FF,
				'r'		^ ( char) 0x0FF,
				'm'		^ ( char) 0x0FF,
				'a'		^ ( char) 0x0FF,
				'l'		^ ( char) 0x0FF,
				0					
				} ;

int main()
{
	printf("%s\n",decrypt(secret));
	return 0;
}


Código: php
ksha@warbof:~/dev/c/ofus$ gcc -ggdb -O0 -o normal2 normal2.c 
ksha@warbof:~/dev/c/ofus$ ./normal2 
Codigo Normal
ksha@warbof:~/dev/c/ofus$ strings normal2
/lib/ld-linux.so.2
__gmon_start__
libc.so.6
_IO_stdin_used
puts
__libc_start_main
GLIBC_2.0
PTRh 
[^_]


aplicando el XOR 0x0FF cambia drasticamente ya q ahora no vemos cadenas.

Código: php

080483c4 <decrypt>:
#include <stdio.h>

char *decrypt( char *str)
{
 80483c4:	55                   	push   %ebp
 80483c5:	89 e5                	mov    %esp,%ebp
 80483c7:	83 ec 10             	sub    $0x10,%esp
	char *pos = str ;
 80483ca:	8b 45 08             	mov    0x8(%ebp),%eax
 80483cd:	89 45 fc             	mov    %eax,-0x4(%ebp)

	while( *pos != 0)
 80483d0:	eb 13                	jmp    80483e5 <decrypt+0x21>
	{
		*pos ^= ( char) 0x0FF ;
 80483d2:	8b 45 fc             	mov    -0x4(%ebp),%eax
 80483d5:	0f b6 00             	movzbl (%eax),%eax
 80483d8:	89 c2                	mov    %eax,%edx
 80483da:	f7 d2                	not    %edx
 80483dc:	8b 45 fc             	mov    -0x4(%ebp),%eax
 80483df:	88 10                	mov    %dl,(%eax)
		pos++ ;
 80483e1:	83 45 fc 01          	addl   $0x1,-0x4(%ebp)

char *decrypt( char *str)
{
	char *pos = str ;

	while( *pos != 0)
 80483e5:	8b 45 fc             	mov    -0x4(%ebp),%eax
 80483e8:	0f b6 00             	movzbl (%eax),%eax
 80483eb:	84 c0                	test   %al,%al
 80483ed:	75 e3                	jne    80483d2 <decrypt+0xe>
	{
		*pos ^= ( char) 0x0FF ;
		pos++ ;
	}
	
	return str ;
 80483ef:	8b 45 08             	mov    0x8(%ebp),%eax
}
 80483f2:	c9                   	leave  
 80483f3:	c3                   	ret    

080483f4 <main>:
				'l'		^ ( char) 0x0FF,
				0					
				} ;

int main()
{
 80483f4:	55                   	push   %ebp
 80483f5:	89 e5                	mov    %esp,%ebp
 80483f7:	83 e4 f0             	and    $0xfffffff0,%esp
 80483fa:	83 ec 10             	sub    $0x10,%esp
	printf("%s\n",decrypt(secret));
 80483fd:	c7 04 24 ec 95 04 08 	movl   $0x80495ec,(%esp)
 8048404:	e8 bb ff ff ff       	call   80483c4 <decrypt>
 8048409:	89 04 24             	mov    %eax,(%esp)
 804840c:	e8 e7 fe ff ff       	call   80482f8 <puts@plt>
	return 0;
 8048411:	b8 00 00 00 00       	mov    $0x0,%eax
}
 8048416:	c9                   	leave  
 8048417:	c3                   	ret    
 8048418:	90                   	nop
 8048419:	90                   	nop
 804841a:	90                   	nop
 804841b:	90                   	nop
 804841c:	90                   	nop
 804841d:	90                   	nop
 804841e:	90                   	nop
 804841f:	90                   	nop


Código: php
ksha@warbof:~/dev/c/ofus$ gcc -ggdb -O0 -o ofus2 ofus2.c     
ksha@warbof:~/dev/c/ofus$ ./ofus2 
Codigo Normal
ksha@warbof:~/dev/c/ofus$ strings ofus2
/lib/ld-linux.so.2
__gmon_start__
libc.so.6
_IO_stdin_used
puts
__libc_start_main
GLIBC_2.0
PTRh 
[^_]


viendo el disasm

Código: php

080483c4 <decrypt>:
extern int printf(__const char *__restrict __format, ...);

char *decrypt( char *str)
{
 80483c4:	55                   	push   %ebp
 80483c5:	89 e5                	mov    %esp,%ebp
 80483c7:	83 ec 10             	sub    $0x10,%esp
	char *pos = str ;
 80483ca:	8b 45 08             	mov    0x8(%ebp),%eax
 80483cd:	89 45 fc             	mov    %eax,-0x4(%ebp)

	while( *pos != 0)
 80483d0:	eb 13                	jmp    80483e5 <decrypt+0x21>
	{
		*pos ^= ( char) 0x0FF ;
 80483d2:	8b 45 fc             	mov    -0x4(%ebp),%eax
 80483d5:	0f b6 00             	movzbl (%eax),%eax
 80483d8:	89 c2                	mov    %eax,%edx
 80483da:	f7 d2                	not    %edx
 80483dc:	8b 45 fc             	mov    -0x4(%ebp),%eax
 80483df:	88 10                	mov    %dl,(%eax)
		pos++ ;
 80483e1:	83 45 fc 01          	addl   $0x1,-0x4(%ebp)

char *decrypt( char *str)
{
	char *pos = str ;

	while( *pos != 0)
 80483e5:	8b 45 fc             	mov    -0x4(%ebp),%eax
 80483e8:	0f b6 00             	movzbl (%eax),%eax
 80483eb:	84 c0                	test   %al,%al
 80483ed:	75 e3                	jne    80483d2 <decrypt+0xe>
	{
		*pos ^= ( char) 0x0FF ;
		pos++ ;
	}
	
	return str ;
 80483ef:	8b 45 08             	mov    0x8(%ebp),%eax
}
 80483f2:	c9                   	leave  
 80483f3:	c3                   	ret    

080483f4 <main>:
				'l'		^ ( char) 0x0FF,
				0					
				} ;

int main()
{
 80483f4:	55                   	push   %ebp
 80483f5:	89 e5                	mov    %esp,%ebp
 80483f7:	83 e4 f0             	and    $0xfffffff0,%esp
 80483fa:	83 ec 10             	sub    $0x10,%esp
	printf("%s\n",decrypt(secret));
 80483fd:	c7 04 24 ec 95 04 08 	movl   $0x80495ec,(%esp)
 8048404:	e8 bb ff ff ff       	call   80483c4 <decrypt>
 8048409:	89 04 24             	mov    %eax,(%esp)
 804840c:	e8 e7 fe ff ff       	call   80482f8 <puts@plt>
	return 0;
 8048411:	b8 00 00 00 00       	mov    $0x0,%eax
}
 8048416:	c9                   	leave  
 8048417:	c3                   	ret    
 8048418:	90                   	nop
 8048419:	90                   	nop
 804841a:	90                   	nop
 804841b:	90                   	nop
 804841c:	90                   	nop
 804841d:	90                   	nop
 804841e:	90                   	nop
 804841f:	90                   	nop


y les dejo el ultimo un poco mas optimizado.

Código: c

#include <unistd.h>

char *decrypt( char *str)
{
	char *pos = str ;

	while( *pos != 0)
	{
		*pos ^= ( char) 0x0FF ;
		pos++ ;
	}
	
	return str ;
}

char secret[]={	
				'C'		^ ( char) 0x0FF,
				'o'		^ ( char) 0x0FF,
				'd'		^ ( char) 0x0FF,
				'i'		^ ( char) 0x0FF,
				'g'		^ ( char) 0x0FF,
				'o'		^ ( char) 0x0FF,
				' '		^ ( char) 0x0FF,
				'N'		^ ( char) 0x0FF,
				'o'		^ ( char) 0x0FF,
				'r'		^ ( char) 0x0FF,
				'm'		^ ( char) 0x0FF,
				'a'		^ ( char) 0x0FF,
				'l'		^ ( char) 0x0FF,
				'\n'		^ ( char) 0x0FF,
				0					
				} ;

int main()
{
	decrypt(secret);
	write(STDOUT_FILENO,&secret,sizeof(secret));
	return 0;
}


Código: php
ksha@warbof:~/dev/c/ofus$ gcc -ggdb -O0 -o ofus3 ofus3.c 
ksha@warbof:~/dev/c/ofus$ ./ofus3 
Codigo Normal
ksha@warbof:~/dev/c/ofus$ strings ofus3
/lib/ld-linux.so.2
__gmon_start__
libc.so.6
_IO_stdin_used
__libc_start_main
write
GLIBC_2.0
PTRh0
[^_]


Código: php

080483c4 <decrypt>:
#include <unistd.h>

char *decrypt( char *str)
{
 80483c4:	55                   	push   %ebp
 80483c5:	89 e5                	mov    %esp,%ebp
 80483c7:	83 ec 10             	sub    $0x10,%esp
	char *pos = str ;
 80483ca:	8b 45 08             	mov    0x8(%ebp),%eax
 80483cd:	89 45 fc             	mov    %eax,-0x4(%ebp)

	while( *pos != 0)
 80483d0:	eb 13                	jmp    80483e5 <decrypt+0x21>
	{
		*pos ^= ( char) 0x0FF ;
 80483d2:	8b 45 fc             	mov    -0x4(%ebp),%eax
 80483d5:	0f b6 00             	movzbl (%eax),%eax
 80483d8:	89 c2                	mov    %eax,%edx
 80483da:	f7 d2                	not    %edx
 80483dc:	8b 45 fc             	mov    -0x4(%ebp),%eax
 80483df:	88 10                	mov    %dl,(%eax)
		pos++ ;
 80483e1:	83 45 fc 01          	addl   $0x1,-0x4(%ebp)

char *decrypt( char *str)
{
	char *pos = str ;

	while( *pos != 0)
 80483e5:	8b 45 fc             	mov    -0x4(%ebp),%eax
 80483e8:	0f b6 00             	movzbl (%eax),%eax
 80483eb:	84 c0                	test   %al,%al
 80483ed:	75 e3                	jne    80483d2 <decrypt+0xe>
	{
		*pos ^= ( char) 0x0FF ;
		pos++ ;
	}
	
	return str ;
 80483ef:	8b 45 08             	mov    0x8(%ebp),%eax
}
 80483f2:	c9                   	leave  
 80483f3:	c3                   	ret    

080483f4 <main>:
				'\n'		^ ( char) 0x0FF,
				0					
				} ;

int main()
{
 80483f4:	55                   	push   %ebp
 80483f5:	89 e5                	mov    %esp,%ebp
 80483f7:	83 e4 f0             	and    $0xfffffff0,%esp
 80483fa:	83 ec 10             	sub    $0x10,%esp
	decrypt(secret);
 80483fd:	c7 04 24 fc 95 04 08 	movl   $0x80495fc,(%esp)
 8048404:	e8 bb ff ff ff       	call   80483c4 <decrypt>
	write(STDOUT_FILENO,&secret,sizeof(secret));
 8048409:	c7 44 24 08 0f 00 00 	movl   $0xf,0x8(%esp)
 8048410:	00 
 8048411:	c7 44 24 04 fc 95 04 	movl   $0x80495fc,0x4(%esp)
 8048418:	08 
 8048419:	c7 04 24 01 00 00 00 	movl   $0x1,(%esp)
 8048420:	e8 c7 fe ff ff       	call   80482ec <write@plt>
	return 0;
 8048425:	b8 00 00 00 00       	mov    $0x0,%eax
}
 804842a:	c9                   	leave  
 804842b:	c3                   	ret    
 804842c:	90                   	nop
 804842d:	90                   	nop
 804842e:	90                   	nop
 804842f:	90                   	nop


.. continua ..
#3
Códigos Fuentes / Assembler Inline /*poc ofuscacion*/
Febrero 28, 2011, 04:11:57 PM

aca les dejo un codigo ofuscado con assembler inline que hice hace un tiempo

Código: php

extern 		int	    printf(	    __const     char *	     __restrict 
__format  ,...);   	 main()   {int      foo =30     ,bar =     45 ,   abx =0;
__asm__ __volatile__	   ("addl  	      %%ebx, %%eax"        :"=a"   (foo)
:"a"(foo), "b"(bar)              );           printf("%c", 	 foo);      int  xor_; 
bar=83;       foo=32;           abx++;	    xor_=       bar-6;	printf ("%c",foo+bar);
int 		 zxw;       zxw=40; 	if(foo==32)  printf(    "%c",	    (((104/4*26)%390
-143)	     +1)-zxw);  foo=3*32+1;   for(zxw=97;   zxw>=foo;	zxw--) 	    { printf("%c",
zxw);}	   printf(	"%c%c"		,13					,10);}
Páginas1