• The Attack Map and list script
post image

The Attack Map and list script

Purpose: To utilize the various command line interface log parsing tools presented by SME during 2022 NCL CTF season Wilbur-Wright college.

Result: A script that can be pointed at any log file and created a world map based on the IP addresses geolocation.


###the data for iframe

ip="$(grep "Invalid" /var/log/auth.log* | sed -e 's/.*from\(.*\)port.*/\1/' | sort | uniq -c  | sort | tail -1  | awk '{print $2}')"
attempts="$(grep "Invalid" /var/log/auth.log* | sed -e 's/.*from\(.*\)port.*/\1/' | sort | uniq -c  | sort | tail -1  | awk '{print $1}')"
attackerip="$(grep "Invalid" /var/log/auth.log | tail -1 | grep -Eoa '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')"

echo <h6> > /var/www/html/theworst.html
echo The most malicious attempts, at this web server, originate from address $ip. That IP has attempted $attempts times to hack this webserver. Others are listed below. >> /var/www/html/theworst.html
echo <hr> >> /var/www/html/theworst.html
grep "Invalid" /var/log/auth.log | sed -e 's/.*]:\(.*\)port.*/\1/' | tail -n 100 >> /var/www/html/theworst.html

echo </h6> >> /var/www/html/theworst.html

chmod 655 /var/www/html/theworst.html

###attack map

if grep -q $attackerip /tmp/ip.txt; then

sort /tmp/ip.txt > /var/www/html/attacker_ip_list.txt

exit 0


echo $attackerip >> /tmp/ip.txt

cp /tmp/ip.txt /var/www/html/attacker_ip_list.txt

chmod 655 /var/www/html/attacker_ip_list.txt

python3 /root/PyGeoIpMap/ -i /tmp/ip.txt --service m --db /root/GeoLite2-City_20191029/GeoLite2-City.mmdb -o /var/www/html/images/images/theworst.png


exit 0

Now I want to try it in Python.

Challenge: If you are able to refactor the above script to be 'more clean' email me. I made it easy! I'll post your name and your improvements! Let's learn together

Rules: You may only modify ONE line per submission. No two submissions back-to-back (meaning.. a different person will need to submit and have their update 'posted' before you may submit again for refactoring). Entries will be reviewed and updated in the order received (meaning.. IF a person were to submit a refactored line prior to your code submission, then your attempt will be invalidated until your attempt is refactored using the most recent posted refactorization.

Clear as mud?! Great!