Community discussions

 
User avatar
omega-00
Forum Guru
Forum Guru
Topic Author
Posts: 1166
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Script to identify conficker (virus infected) users

Thu Mar 26, 2009 4:39 am

Hello all,

Just finished posting a wiki article on a script I've done up to help identify private network (lan) users infected with variants of the conficker virus.

Implementation of the script will give you a way to get the IP addresses of users on your network attempting to access sites that conficker 'phones home' to periodically.

If anyone has any questions, bugs or suggestions on the script feel free to voice them here.

Wiki article: http://wiki.mikrotik.com/wiki/Conficker-Virus-Blocking
 
User avatar
omega-00
Forum Guru
Forum Guru
Topic Author
Posts: 1166
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: Script to identify conficker (virus infected) users

Thu Mar 26, 2009 7:21 am

oh bugger. Just found out that the :resolve command failing causes a script to halt in 3.X
Workaround for me was to use OpenDNS as the name servers, so that all requests would resolve, then just catch the users heading to non opendns IP's.

http://forum.mikrotik.com/viewtopic.php?f=1&t=29419 - could you please try to fix this for us mikrotik? The bug has been around since Feb.

Thanks.
 
User avatar
Ibersystems
Forum Guru
Forum Guru
Posts: 1681
Joined: Wed Apr 12, 2006 12:29 am
Location: Cabrils, Barcelona - Spain
Contact:

Re: Script to identify conficker (virus infected) users

Fri Mar 27, 2009 3:52 pm

Thanks!
Martín
martinruiz at ibersystems.es
Experto en redes WiFi y enlaces WiFi.

Facebook: @Ibersystems
Twitter: @Ibersystems

Certified in Traffic Shaping, Wireless, Internetworking, Routing and User Management.
MTCTCE - MTCWE - MTCINE - MTCUME - MTCRE
 
pokeman
Member Candidate
Member Candidate
Posts: 136
Joined: Fri Jun 05, 2009 10:52 pm

Re: Script to identify conficker (virus infected) users

Sat Mar 28, 2009 9:42 am

Hi there

i use this script in x3.17 its not working for me i just modified the script to check they resolve the ips . i created the file name conf.txt and put the all domain which listed on site. i used opendns for nameserver

:local content [/file get [/file find name="conf.txt"] contents] ;
:local contentLen [ :len $content ] ;

:local lineEnd 0;
:local line "";
:local lastEnd 0;

:do {
:set lineEnd [:find $content "\n" $lastEnd ] ;
:set line [:pick $content $lastEnd $lineEnd] ;
:set lastEnd ( $lineEnd + 1 ) ;

#resolve each new line and add to the address list daily-conficker
:if ( [:pick $line 0 1] != "\n" ) do={
:local entry [:pick $line 0 ($lineEnd ) ]
:if ( [:len $entry ] > 0 ) do={
:local listip [:resolve "$entry"]
:if ($listip != "failure" ) do={
/ip firewall address-list add list=daily-conficker address=$listip
:log info "$listip"
}
}
}
} while ($lineEnd < $contentLen)
}
:log info "Address List Modification Complete"
 
User avatar
omega-00
Forum Guru
Forum Guru
Topic Author
Posts: 1166
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: Script to identify conficker (virus infected) users

Sat Mar 28, 2009 7:17 pm

Yes, as noted in my post above, I only found out after finishing the scrip that the mikrotik :resolve command is currently broken, any failed resolution simple forces the script to quit, hence using opendns is the only way I see to get it to complete at this time.. too bad we've got no other solution for the 1st April :-(

However, if you're still getting an error in the script even thou all addresses are resolving, run it from terminal instead and let me know what line it errors on and I'll have a look.
 
User avatar
Aug
Member
Member
Posts: 313
Joined: Thu Jun 07, 2007 2:10 am

Re: Script to identify conficker (virus infected) users

Sun Mar 29, 2009 1:56 am

Thanks.

I managed to get it working and it's popping up hits on several of my access points.
I copied the address list and firewall rule to the access points to isolate the customer.
I checked some of the ip address against arin.
208.69.36.132 opendns
72.167.202.5 godaddy
72.14.205.102 google

Does that seem right??

Also, could one just block the ip addresses from the list daily-conficker?
Aug
 
User avatar
omega-00
Forum Guru
Forum Guru
Topic Author
Posts: 1166
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: Script to identify conficker (virus infected) users

Sun Mar 29, 2009 5:43 am

Yes you can block the addresses, I've done so on my sites and haven't had any users call with issues accessing google :-/ (Roughly 3000 users its running across at the moment)

as for the ARIN listings, try the following addition. Change the line
/ip firewall address-list add list=daily-conficker address=$listip
to
/ip firewall address-list add list=daily-conficker address=$listip comment=$entry
This should give you a listing of the domain that each address was resolved from so you can see exactly which domain is which.
I've updated the script to include this.
 
pokeman
Member Candidate
Member Candidate
Posts: 136
Joined: Fri Jun 05, 2009 10:52 pm

Re: Script to identify conficker (virus infected) users

Sun Mar 29, 2009 12:02 pm

Yes, as noted in my post above, I only found out after finishing the scrip that the mikrotik :resolve command is currently broken, any failed resolution simple forces the script to quit, hence using opendns is the only way I see to get it to complete at this time.. too bad we've got no other solution for the 1st April :-(

However, if you're still getting an error in the script even thou all addresses are resolving, run it from terminal instead and let me know what line it errors on and I'll have a look.

Dude
Can you post the resolve export ips list so i can direcly add in addresses list
 
pokeman
Member Candidate
Member Candidate
Posts: 136
Joined: Fri Jun 05, 2009 10:52 pm

Re: Script to identify conficker (virus infected) users

Sun Mar 29, 2009 12:19 pm

got error when i post the script on terminal window
conf.JPG
You do not have the required permissions to view the files attached to this post.
 
User avatar
omega-00
Forum Guru
Forum Guru
Topic Author
Posts: 1166
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: Script to identify conficker (virus infected) users

Mon Mar 30, 2009 2:04 am

the whole reason the script goes through and resolves each of the IP's is because conficker uses a new set of domains each day, if I were to resolve all of them now and just provide an IP list, this list could easily change within a few days time given that a) new domains that weren't resolving previously may have now been purchased. b) old domains that were pointing elsewhere before could have records updated to point to new sites.

When I say run it from terminal I mean goto terminal and type in
/system run script daily-conficker-list
then paste the output.

Pasting in terminal like that simply won't work.
 
pokeman
Member Candidate
Member Candidate
Posts: 136
Joined: Fri Jun 05, 2009 10:52 pm

Re: Script to identify conficker (virus infected) users

Mon Mar 30, 2009 9:28 am

Thanks for your prompt response. actully i have over 2500 user. most of the user are infacted with this virus.

here is terminal output

[admin@MikroTik] > /system run script daily-conficker-list
bad command name run (line 1 column 9)
[admin@MikroTik] >
conf.JPG
You do not have the required permissions to view the files attached to this post.
 
User avatar
omega-00
Forum Guru
Forum Guru
Topic Author
Posts: 1166
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: Script to identify conficker (virus infected) users

Mon Mar 30, 2009 10:19 am

arggh sorry, typo
/system script run daily-conficker-list
is what you want to do.
 
pokeman
Member Candidate
Member Candidate
Posts: 136
Joined: Fri Jun 05, 2009 10:52 pm

Re: Script to identify conficker (virus infected) users

Mon Mar 30, 2009 10:32 am

arggh sorry, typo
/system script run daily-conficker-list
is what you want to do.

something wrong in script when i run given error. see my last post


the worm has been activated on my lan users here is my squid access log.

1238397620.731 0 192.168.0.5 TCP_DENIED/400 1481 NONE NONE:// - NONE/- text/html
53 -1238397620.747 1037 192.168.0.5 TCP_MISS/200 345 GET http://210.2.138.215/tradingterminal/Ex ... 2676355183 - DIRECT/210.2.138.215 text/xml
1238397620.760 296 192.168.0.5 TCP_MISS/204 187 GET http://www.google.com/uds/stats?r0=hl%7Csearch - DIRECT/216.239.61.104 text/html
1238397620.762 1 192.168.0.5 TCP_DENIED/400 1481 NONE NONE:// - NONE/- text/html
1238397620.789 338 192.168.0.5 TCP_MISS/204 277 GET http://www.google.com.pk/csi?v=3&s=webh ... 51,xjs.301 - DIRECT/216.239.61.104 text/html
1238397620.791 1 192.168.0.5 TCP_DENIED/400 1481 NONE NONE:// - NONE/- text/html
1238397620.794 344 192.168.0.5 TCP_MISS/200 390 GET http://www.google-analytics.com/__utm.g ... D(none)%3B - DIRECT/72.14.235.100 image/gif
1238397620.823 0 192.168.0.5 TCP_DENIED/400 1481 NONE NONE:// - NONE/- text/html
1238397620.852 10 192.168.0.5 TCP_DENIED/400 1481 NONE NONE:// - NONE/- text/html
1238397620.858 424 192.168.0.5 TCP_MISS/200 427 GET http://us.bc.yahoo.com/b?P=FFc7D2KIcFH5 ... 8968295436 - DIRECT/68.142.228.136 image/gif
1238397620.882 1 192.168.0.5 TCP_DENIED/400 1481 NONE NONE:// - NONE/- text/html
1238397620.912 0 192.168.0.5 TCP_DENIED/400 1481 NONE NONE:// - NONE/- text/html
1238397620.919 4454 192.168.0.5 TCP_MISS/200 92057 GET http://www.cartoonnetwork.com/data/_mas ... l?c=530375 - DIRECT/64.236.29.72 application/xml
1238397620.929 494 192.168.0.5 TCP_MISS/200 1440 GET http://ads.cartoonnetwork.com/js.ng/sit ... 3718938321 - DIRECT/64.236.29.63 application/x-javascript
1238397620.941 3438 192.168.0.5 TCP_REFRESH_HIT/304 149 GET http://download.im.alisoft.com/aliim/Al ... k100859391 - DIRECT/121.0.30.96 -
1238397620.942 0 192.168.0.5 TCP_DENIED/400 1481 NONE NONE:// - NONE/- text/html
1238397620.950 453 192.168.0.5 TCP_HIT/200 869 GET http://static4.orkut.com/img/castro/i_phototag.gif - NONE/- image/gif
1238397620.950 1270 192.168.0.5 TCP_REFRESH_HIT/200 634 GET http://i.cdn.turner.com/toon/games/tool ... bottom.jpg - DIRECT/209.84.4.126 image/jpeg
1238397620.972 0 192.168.0.5 TCP_DENIED/400 1481 NONE NONE:// - NONE/- text/html
1238397620.973 459 192.168.0.5 TCP_MISS/304 208 GET http://outfits.zwinky.com/users/common/ ... female.xml - DIRECT/66.235.126.132 -
1238397620.989 538 192.168.0.5 TCP_MISS/200 5856 GET http://ad.yieldmanager.com/st?ad_type=i ... 04760/R=0/* - DIRECT/77.238.172.11 -
1238397621.002 0 192.168.0.5 TCP_DENIED/400 1481 NONE NONE:// - NONE/- text/html
1238397621.032 2 192.168.0.5 TCP_DENIED/400 1481 NONE NONE:// - NONE/- text/html
1238397621.051 617 192.168.0.5 TCP_MISS/302 734 GET http://login.live.com/login.srf?wa=wsig ... 3&id=41839 - DIRECT/65.54.186.107 text/html
1238397621.052 618 192.168.0.5 TCP_MISS/200 544 GET http://w88.go.com/b/ss/wdgespcricinfo,w ... &%5BAQE%5D - DIRECT/66.235.139.70 image/gif
1238397621.058 564 192.168.0.5 TCP_MISS/206 8531 GET http://msgr.dlservice.microsoft.com/dow ... up-cvr.exe - DIRECT/87.248.218.175 application/octet-stream
1238397621.062 3 192.168.0.5 TCP_DENIED/400 1481 NONE NONE:// - NONE/- text/html
1238397621.082 2774 192.168.0.5 TCP_REFRESH_HIT/200 7997 GET http://img301.imageshack.us/img301/5350 ... lergz7.jpg - DIRECT/38.99.76.172 image/jpeg
1238397621.092 6 192.168.0.5 TCP_DENIED/400 1481 NONE NONE:// - NONE/- text/html
 
User avatar
omega-00
Forum Guru
Forum Guru
Topic Author
Posts: 1166
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: Script to identify conficker (virus infected) users

Mon Mar 30, 2009 11:08 am

yeah but the previous post I did was incorrect..
when you ran
/system run script XXXXX

it didn't run the script at all.. because my syntax was wrong.

you need to run

/system script run XXXXXX

it was my message to you that had an error, I've also tried the script on one of my 3.17 boxes and it works fine.
 
pokeman
Member Candidate
Member Candidate
Posts: 136
Joined: Fri Jun 05, 2009 10:52 pm

Re: Script to identify conficker (virus infected) users

Mon Mar 30, 2009 11:41 am

yeah but the previous post I did was incorrect..
when you ran
/system run script XXXXX

it didn't run the script at all.. because my syntax was wrong.

you need to run

/system script run XXXXXX

it was my message to you that had an error, I've also tried the script on one of my 3.17 boxes and it works fine.

The Script was stuck-up how to debug ? currently using opendns nameserver terminal output

[admin@MikroTik] > /system script run daily-conficker-list
status: connecting
-- [Q quit|D dump|C-z pause]
failure: connection failed
 
User avatar
omega-00
Forum Guru
Forum Guru
Topic Author
Posts: 1166
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: Script to identify conficker (virus infected) users

Mon Mar 30, 2009 12:01 pm

Hmm it would seem that your mikrotik is unable to download the files from my webserver.
Does the box you're using have a default route (0.0.0.0/0) out to the internet?

The script as noted above does work fine on 3.17 which means there is an issue with your mikrotik being able to connect to my server somehow.
 
pokeman
Member Candidate
Member Candidate
Posts: 136
Joined: Fri Jun 05, 2009 10:52 pm

Re: Script to identify conficker (virus infected) users

Mon Mar 30, 2009 1:19 pm

mm strange ! anyway i just tweak with this script with my linux box downloaded files on linux box then retrive to local machine. files are http://192.168.0.1/conficker/www.epicwi ... conficker/

after this get sucess but 20% the script now given this error

/system script run daily-conficker-list
status: connecting

status: finished
failure

i checked in files the only 1 file download 03-30-2009.txt


i changed in script marked

:local date [/system clock get date]
:local month [:pick $date 0 3]
:local day [:pick $date 4 6]
:local year [:pick $date 7 11]

#set month to numerical value
:if ([$month] = "jan") do={ :set month "01" }
:if ([$month] = "feb") do={ :set month "02" }
:if ([$month] = "mar") do={ :set month "03" }
:if ([$month] = "apr") do={ :set month "04" }
:if ([$month] = "may") do={ :set month "05" }
:if ([$month] = "jun") do={ :set month "06" }
:if ([$month] = "jul") do={ :set month "07" }
:if ([$month] = "aug") do={ :set month "08" }
:if ([$month] = "sep") do={ :set month "09" }
:if ([$month] = "oct") do={ :set month "10" }
:if ([$month] = "nov") do={ :set month "11" }
:if ([$month] = "dec") do={ :set month "12" }

#download current days domain list
/tool fetch address=192.168.0.1 host=192.168.0.1 mode=http src-path="conficker/www.epicwinrar.com/conficker/$month-$day-$year.txt"
:log info "Download Complete"
:delay 2

#check to ensure todays file exists before deleting yesterdays list
:log info "Begining Address List Modification"
:if ( [/file get [/file find name="$month-$day-$year.txt"] size] > 0 ) do={

/ip firewall address-list remove [/ip firewall address-list find list=daily-conficker]

:local content [/file get [/file find name="$month-$day-$year.txt"] contents] ;
:local contentLen [ :len $content ] ;

:local lineEnd 0;
:local line "";
:local lastEnd 0;

:do {
:set lineEnd [:find $content "\n" $lastEnd ] ;
:set line [:pick $content $lastEnd $lineEnd] ;
:set lastEnd ( $lineEnd + 1 ) ;

#resolve each new line and add to the address list daily-conficker
:if ( [:pick $line 0 1] != "\n" ) do={
:local entry [:pick $line 0 ($lineEnd ) ]
:if ( [:len $entry ] > 0 ) do={
:local listip [:resolve "$entry"]
:if ($listip != "failure" ) do={
/ip firewall address-list add list=daily-conficker address=$listip
:log info "$listip"
}
}
}
} while ($lineEnd < $contentLen)
}
:log info "Address List Modification Complete"
#cleaning up
/file remove "$month-$day-$year.txt"
 
User avatar
omega-00
Forum Guru
Forum Guru
Topic Author
Posts: 1166
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: Script to identify conficker (virus infected) users

Mon Mar 30, 2009 2:28 pm

If it gets the failure message it means the :resolve has failed and stops the script from continuing (the bug mentioned in my second post)

If you're using opendns servers (208.67.222.222 208.67.220.220) as your dns servers this should not happen as any invalid requests will instead be returned an opendns address (normally in the 208.67.X.X range)
 
pokeman
Member Candidate
Member Candidate
Posts: 136
Joined: Fri Jun 05, 2009 10:52 pm

Re: Script to identify conficker (virus infected) users

Mon Mar 30, 2009 4:20 pm

Thanks Mate

Now its working but i think something wrong. The script add duplicate ips . its fine or something missing in script .
Dude can you do one more thing can you make simple this script. i have also linux box and make script to fatch and export list to the file with crontab just confuse with MT scripting here is my simple script to fatch file from local machine this local machine fatch data from site. conf.txt is located on my server

#download current days domain list
/tool fetch address=192.168.0.1 host=192.168.0.1 mode=http src-path="conficker/www.epicwinrar.com/conficker/conf.txt"
:log info "Download Complete"
:delay 2

#check to ensure todays file exists before deleting yesterdays list
:log info "Begining Address List Modification"
:if ( [/file get [/file find name=conf.txt] size] > 0 ) do={

/ip firewall address-list remove [/ip firewall address-list find list=daily-conficker]

:local content [/file get [/file find name=conf.txt] contents] ;
:local contentLen [ :len $content ] ;

:local lineEnd 0;
:local line "";
:local lastEnd 0;

:do {
:set lineEnd [:find $content "\n" $lastEnd ] ;
:set line [:pick $content $lastEnd $lineEnd] ;
:set lastEnd ( $lineEnd + 1 ) ;

#resolve each new line and add to the address list daily-conficker
:if ( [:pick $line 0 1] != "\n" ) do={
:local entry [:pick $line 0 ($lineEnd ) ]
:if ( [:len $entry ] > 0 ) do={
:local listip [:resolve "$entry"]
:if ($listip != "failure" ) do={
/ip firewall address-list add list=daily-conficker address=$listip
:log info "$listip"
}
}
}
} while ($lineEnd < $contentLen)
}
:log info "Address List Modification Complete"
#cleaning up
/file remove conf.txt
 
User avatar
Aug
Member
Member
Posts: 313
Joined: Thu Jun 07, 2007 2:10 am

Re: Script to identify conficker (virus infected) users

Mon Mar 30, 2009 4:44 pm

This works fine on 3.19 as long as the dns servers are set to opendns as stated above.

Is there any way to prevent duplicate ip addresses from being added to the address list since many of the ips are the same.
Aug
 
pokeman
Member Candidate
Member Candidate
Posts: 136
Joined: Fri Jun 05, 2009 10:52 pm

Re: Script to identify conficker (virus infected) users

Tue Mar 31, 2009 12:39 am

Hi There

did you found any removal tool for this worm ?
 
EngAMoktar
Frequent Visitor
Frequent Visitor
Posts: 87
Joined: Fri Aug 15, 2008 7:18 pm

Re: Script to identify conficker (virus infected) users

Tue Mar 31, 2009 5:15 am

oh bugger. Just found out that the :resolve command failing causes a script to halt in 3.X
Hey Man , is that means it won't work on 3.x !!?
and what about 2.x
something else , should i make a firewall filter rule to block any connection to these sites ?
i have a deep bad feeling about this mess , MS is crashing down :?
harry up man , tomorrow is the date :shock:

sorry , one more thing , this happened after i used this script from wiki
Image
is this this right ?
 
pokeman
Member Candidate
Member Candidate
Posts: 136
Joined: Fri Jun 05, 2009 10:52 pm

Re: Script to identify conficker (virus infected) users

Tue Mar 31, 2009 3:54 pm

If it gets the failure message it means the :resolve has failed and stops the script from continuing (the bug mentioned in my second post)

If you're using opendns servers (208.67.222.222 208.67.220.220) as your dns servers this should not happen as any invalid requests will instead be returned an opendns address (normally in the 208.67.X.X range)

Thanks Dude its working now the issue was in my Firewall :P
 
pokeman
Member Candidate
Member Candidate
Posts: 136
Joined: Fri Jun 05, 2009 10:52 pm

Re: Script to identify conficker (virus infected) users

Tue Mar 31, 2009 4:04 pm

oh bugger. Just found out that the :resolve command failing causes a script to halt in 3.X
Hey Man , is that means it won't work on 3.x !!?
and what about 2.x
something else , should i make a firewall filter rule to block any connection to these sites ?
i have a deep bad feeling about this mess , MS is crashing down :?
harry up man , tomorrow is the date :shock:

sorry , one more thing , this happened after i used this script from wiki
Image
is this this right ?

mm i think you are using web-proxy service the virus create reverse connection and loop with you local MT proxy . in my case i have external linux box same loop connection are seen in cachelog
 
User avatar
omega-00
Forum Guru
Forum Guru
Topic Author
Posts: 1166
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: Script to identify conficker (virus infected) users

Tue Mar 31, 2009 6:26 pm

Nmap has released a new (beta) release that enables Conficker infections
just by scanning the network.

For more information (including commands for Conficker scanning) see:
http://insecure.org/

An original tool (before it was added into nmap) is also available:
http://iv.cs.uni-bonn.de/uploads/media/scs.zip

And further info can be found at these sites:
http://www.honeynet.org/
(https://www.honeynet.org/node/389)
http://iv.cs.uni-bonn.de/wg/cs/applicat ... conficker/
Just received these from a security consultant friend. Combined with the script here this should help us pickup any infected users but requires a computer on the inside (we use an older server with ESXi which allows remote access) which i believe is a good investment for any sites over 500 users.
 
User avatar
taglio
Frequent Visitor
Frequent Visitor
Posts: 97
Joined: Wed Nov 12, 2008 4:55 pm
Location: 34T, Barcelona, Spain

Re: Script to identify conficker (virus infected) users

Tue Mar 31, 2009 7:39 pm

You don't have permission to access /nmap-dist/nmap-4.85BETA5-setup.exe on this server.

Just curious.... the download server from insecure.org has got this error.
.mhavoc world
 
rafa_lore
Member Candidate
Member Candidate
Posts: 121
Joined: Tue Apr 17, 2007 4:57 am
Location: Salta
Contact:

Re: Script to identify conficker (virus infected) users

Tue Mar 31, 2009 7:58 pm

Hello
As omega-00 told, I have a problem with resolve names, it give an error and the script stop working! How can I solve this problem? I look in the other post and there is not solution!
Look this is the problem!
 :put [:resolve tleksfchxqb.com]
failure
So when MKT read its, stop working with the script. And the problem is that this is the first in the list!!
Thank
Rafael Lore
 
User avatar
Aug
Member
Member
Posts: 313
Joined: Thu Jun 07, 2007 2:10 am

Re: Script to identify conficker (virus infected) users

Tue Mar 31, 2009 8:17 pm

Use opendns servers.
clear dns cache.

/ip dns
set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=512 primary-dns=\
208.67.220.220 secondary-dns=208.67.222.222
/ip dns cache flush
Aug
 
rafa_lore
Member Candidate
Member Candidate
Posts: 121
Joined: Tue Apr 17, 2007 4:57 am
Location: Salta
Contact:

Re: Script to identify conficker (virus infected) users

Wed Apr 01, 2009 12:55 am

Thanks very much AUG, problems solved
Rafael Lore
 
pokeman
Member Candidate
Member Candidate
Posts: 136
Joined: Fri Jun 05, 2009 10:52 pm

Re: Script to identify conficker (virus infected) users

Fri Apr 03, 2009 1:47 pm

Hi omega-00


I found in logs many domain are not listed in dailyconficker list . after googing i found this url may be this will be help-out you

http://iv.cs.uni-bonn.de/wg/cs/applicat ... conficker/
 
User avatar
Aug
Member
Member
Posts: 313
Joined: Thu Jun 07, 2007 2:10 am

Re: Script to identify conficker (virus infected) users

Fri Apr 03, 2009 5:20 pm

I've noticed that if a customer is using opendns as their dns server, they get a lot of hits.
I believe these are false hits.
Anybody else run into this?
Aug
 
User avatar
omega-00
Forum Guru
Forum Guru
Topic Author
Posts: 1166
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: Script to identify conficker (virus infected) users

Fri Apr 03, 2009 6:52 pm

aug: any hits to opendns aren't nessicarily conficker hits seeing as open dns doesn't host a specific conficker warning page, jsut a standard "this site is unsafe/blocked blah blah blah" page that users hit. so you have to remove opendns hits from your list (would be great if :resolve just worked like it's supposed to thou wouldn't it :-/ )

pokeman: when you say you've found domains that aren't in the list, do you mean my list is missing some? or my list has ones that website doesnt?

If you're saying the first, I know this.. conficker c generates 50,000 domains a day .. mikrotik only gives me a 4096 char string I can work with to block a and b (as listed on my script page) - http://wiki.mikrotik.com/wiki/Conficker-Virus-Blocking

but thanks for the links, any more info is helpful.
 
ayufan
Member
Member
Posts: 331
Joined: Sun Jun 03, 2007 9:35 pm
Contact:

Re: Script to identify conficker (virus infected) users

Fri Apr 03, 2009 7:17 pm

Try remote script execution for example via ssh. And generate mikrotik script code from template ;)
ssh my-router ':local listip [:resolve "aa.com"]; :if ($listip != "failure" ) do={
             /ip firewall address-list add list=daily-conficker address=$listip comment="aa.com"
             :log info "$listip"
           }
 ...'
Executing that script every day from remote machine
hAP AC, TP-Link Archer C7 v2, RB951G, RB450G, RPI2, RPI zero
 
Ozelo
Member
Member
Posts: 338
Joined: Fri Jun 02, 2006 3:56 am

Re: Script to identify conficker (virus infected) users

Fri Apr 03, 2009 10:03 pm

Ive been running the script, but for some reason it just don't get out the "while" statement... I trying to figure it out. I just don't see the final log message saying that modifications are completed. Thanks for the script anyway! :)
MTCRE - 1104RE006
MTCINE - 1104INE001
 
User avatar
omega-00
Forum Guru
Forum Guru
Topic Author
Posts: 1166
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: Script to identify conficker (virus infected) users

Sun Apr 05, 2009 7:21 pm

Ozelo as discussed above the mikrotik :resolve command is broken :-/ and causes the script to crash if it can't resolve an address *sigh*
so the fix is to use just opendns servers for the time being.
 
User avatar
omega-00
Forum Guru
Forum Guru
Topic Author
Posts: 1166
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: Script to identify conficker (virus infected) users

Sat Apr 11, 2009 8:03 pm

The following script will stop the addition of duplicate IP's.
#resolve each new line and add to the address list daily-conficker. updated to list domain as comment
        :if ( [:pick $line 0 1] != "\n" ) do={
          :local entry [:pick $line 0 ($lineEnd ) ]
          :if ( [:len $entry ] > 0 ) do={
              :local listip [:resolve "$entry"]
              :if ($listip != "failure" ) do={
                :if ((/ip firewall address-list find list=daily-conficker address=$listip) = "") do={
                  /ip firewall address-list add list=daily-conficker address=$listip comment=$entry
                  :log info "$listip"
              } else={:log info "duplicate IP $entry"}
           }
       } 
    }
 } while ($lineEnd < $contentLen)
}
:log info "Address List Modification Complete"
#cleaning up
/file remove "$month-$day-$year.txt"
You should be able to see from the comments what it replaces, but if not I've updated the wiki entry to reflect the new script.
 
fatslim
newbie
Posts: 30
Joined: Mon Dec 01, 2008 1:21 pm
Location: Lithuania, Kaunas
Contact:

Re: Script to identify conficker (virus infected) users

Mon May 25, 2009 4:34 pm

The following script will stop the addition of duplicate IP's.
#resolve each new line and add to the address list daily-conficker. updated to list domain as comment
        :if ( [:pick $line 0 1] != "\n" ) do={
          :local entry [:pick $line 0 ($lineEnd ) ]
          :if ( [:len $entry ] > 0 ) do={
              :local listip [:resolve "$entry"]
              :if ($listip != "failure" ) do={
                :if ((/ip firewall address-list find list=daily-conficker address=$listip) = "") do={
                  /ip firewall address-list add list=daily-conficker address=$listip comment=$entry
                  :log info "$listip"
              } else={:log info "duplicate IP $entry"}
           }
       } 
    }
 } while ($lineEnd < $contentLen)
}
:log info "Address List Modification Complete"
#cleaning up
/file remove "$month-$day-$year.txt"
You should be able to see from the comments what it replaces, but if not I've updated the wiki entry to reflect the new script.
At this part script stops. Last output in log is "duplicate IP fnsqijun.org"
 
DjStraw
newbie
Posts: 46
Joined: Mon Oct 15, 2007 4:54 am

Re: Script to identify conficker (virus infected) users

Tue Oct 13, 2009 8:40 am

Use opendns servers.
clear dns cache.

/ip dns
set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=512 primary-dns=\
208.67.220.220 secondary-dns=208.67.222.222
/ip dns cache flush
Not work for me!, is I put set allow-remote-requests=yes work, but if it works but makes the blocks that have previously configured, the only way NAT works is redirected from the udp port 53 to the OpenDNS DNS server but that's how I mark the cache IP - DNS - Cache
 
xezen
Long time Member
Long time Member
Posts: 628
Joined: Fri May 30, 2008 10:23 am
Location: South Africa

Re: Script to identify conficker (virus infected) users

Tue Oct 13, 2009 9:14 am

but your list stoped updating



why isnt it up o date today or a month back?

can you fix that as it was working well for me
If i dont No Ask someone That Does!
 
User avatar
omega-00
Forum Guru
Forum Guru
Topic Author
Posts: 1166
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: Script to identify conficker (virus infected) users

Tue Oct 13, 2009 5:15 pm

I don't have the time to maintain the lists and as the newer generations of conficker (generation 'c' onwards) have a list of 50,000 new domains a day it becomes near impossible to handle that normally and would require me to completely recode what I've done on the script to handle multiple files with domains in them.

As it stands I might look at this again when v4.X re-adds the LUA functions.

Regards,
Andrew Cox
Omega-00
 
xezen
Long time Member
Long time Member
Posts: 628
Joined: Fri May 30, 2008 10:23 am
Location: South Africa

Re: Script to identify conficker (virus infected) users

Tue Oct 13, 2009 11:18 pm

were can i find the lists then to try my own thing?
If i dont No Ask someone That Does!
 
User avatar
omega-00
Forum Guru
Forum Guru
Topic Author
Posts: 1166
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: Script to identify conficker (virus infected) users

Fri Oct 16, 2009 3:25 am

 
xezen
Long time Member
Long time Member
Posts: 628
Joined: Fri May 30, 2008 10:23 am
Location: South Africa

Re: Script to identify conficker (virus infected) users

Fri Oct 16, 2009 8:32 am

thanks for the link
If i dont No Ask someone That Does!
 
letabawireless
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Thu Jul 26, 2012 5:11 pm

Re: Script to identify conficker (virus infected) users

Thu Oct 30, 2014 9:38 am

Hi there
I stumbled upon your script on the wiki, and need it. The problem is the website epicwinrar seems to not be working anymore ? Has it been moved somewhere else ?

Who is online

Users browsing this forum: No registered users and 4 guests