tag:blogger.com,1999:blog-4088979.post5306475337119116304..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Watch Your WHOIS EntriesRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-4088979.post-84300227283610066222015-07-16T10:24:41.173-04:002015-07-16T10:24:41.173-04:00Guys, if you ever want to evolve from simple scrip...Guys, if you ever want to evolve from simple scripting, check out my service at biz-eye.com<br /><br />It does daily blacklist checks, watches whois/dns changes + monitors expiration of SSL cert and domains.raulhttps://www.blogger.com/profile/03064867588523004796noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-65432900877122828822010-05-24T06:36:49.921-04:002010-05-24T06:36:49.921-04:00My version did not have the the problem with the d...My version did not have the the problem with the database timestamps, BTW.<br /> <br />I don't see why there would be a race conditions unless you plan to run it more frequently than every 5 minutes, which I think is excessive. And if you care, just use whois.$$.$i and delete this file at the end. <br /><br />And if you don't use cron to deliver mail, just do something like<br /><br />#!/bin/sh<br />FILE=/tmp/whoisdiff.$$<br />trap "/bin/rm $FILE" 0 1 15<br />PATH=$PATH:/usr/local/bin<br />export PATH<br />WhoisDiff >$FILE<br />if [ -s $FILE ]<br />then<br /> mail -s "WHOIS DIFF" email@example.com <$FILE<br />fiGrymoirehttps://www.blogger.com/profile/14085895194551806713noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-78439605687697050142010-05-23T10:24:02.990-04:002010-05-23T10:24:02.990-04:00I'd forgotten that some registrars include the...I'd forgotten that some registrars include the global WHOIS database's last modification time in their output, which can cause frequent false positives:<br /><br />>>> Last update of whois database: Sun, 23 May 2010 12:29:08 UTC <<<<br /><br />In order to ignore this date change without ignoring other date changes, we have to make the script slightly more fragile (by depending on the registrar's output format). I'm not sure of a better way to handle this case; comments welcome.<br /><br />Also, my previously posted script has a logic bug. It exits the script entirely after only creating one missing baseline file.<br /><br />My version is quite a bit more verbose than Grymoire's, but there are a couple of deliberate reasons:<br /><br />* I'm manually sending the email (rather than letting cron's output do so) because some OSes (Solaris) put no useful information in the subject line generated by cron.<br /><br />* I'm not using /tmp in order to avoid race conditions.<br /><br />* I'm automatically setting up the workspace and initial baseline files, making it work "out of the box" without manual setup steps.<br /><br />* cron paths can vary by OS and local preference; also, multiple versions of a binary can be present on a given system. This makes hard-coding the paths to specific binaries attractive (though it does harm portability).<br /><br />* I'm abstracting some customizable parameters (work directory, domain list) in a separate area to adhere to DRY (Don't Repeat Yourself) and to improve legibility.<br /><br />Here's a new version, taking all of the above into account, with some other legibility improvements.<br /><br />#!/bin/sh<br /><br /># Description: check whois for domains of interest.<br /><br />MYDOMAINS="example.com example.net"<br />MYEMAIL=royce@example.org<br />MYWORKDIR=/home/royce/check<br /><br />DIFF=/usr/bin/diff<br />EGREP=/usr/bin/egrep<br />WHOIS=/usr/bin/whois<br /><br />for domain in ${MYDOMAINS}; do<br /><br /> OLDFILE=${MYWORKDIR}/${domain}.whois.old.txt<br /> NEWFILE=${MYWORKDIR}/${domain}.whois.new.txt<br /><br /> # If the working directory does not exist, create it or exit.<br /> if [ ! -d ${MYWORKDIR} ]; then<br /> mkdir ${MYWORKDIR} || (echo "Could not create ${MYWORKDIR}"; exit 1;)<br /> fi<br /><br /> # If baseline files don't exist, create them.<br /> if [ ! -f ${OLDFILE} ]; then<br /> touch ${OLDFILE}<br /> echo "Created baseline file for ${domain}."<br /> continue<br /> fi<br /><br /> # Fetch WHOIS record for the domain, ignoring 4-digit years.<br /> # This is somewhat fragile, as WHOIS output formats can change.<br /> ${WHOIS} ${domain} \<br /> | ${EGREP} -vi '.*whois.*[ \-]20[0-9][0-9][ ,-]' \<br /> > ${NEWFILE}<br /><br /> # Check to see if the WHOIS record has changed.<br /> #<br /> # We manually email because some OSes (most notably Solaris) do not<br /> # put unique information in subject lines created from cron.<br /><br /> ${DIFF} -u \<br /> ${OLDFILE} \<br /> ${NEWFILE} >/dev/null<br /><br /> if [ $? != 0 ]; then<br /> ${DIFF} -u \<br /> ${OLDFILE} \<br /> ${NEWFILE} \<br /> | mail -s "whois check: ${domain}" ${MYEMAIL}<br /> fi<br /><br /> # Save the new WHOIS information as the baseline.<br /> mv ${MYWORKDIR}/${domain}.whois.new.txt \<br /> ${MYWORKDIR}/${domain}.whois.old.txt<br /><br />donetychotithonus (Royce Williams)https://www.blogger.com/profile/11317864442903503476noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-36406947412273673982010-05-23T07:33:55.937-04:002010-05-23T07:33:55.937-04:00Here's mine. Run this in cron, and it will sen...Here's mine. Run this in cron, and it will send you mail when anything changes<br /><br /><br />#!/bin/sh<br />for i in domain1.com domain2.com<br />do<br /> whois $i | grep -v -i database >/tmp/whois.$i<br /> diff /var/log/whois.$i /tmp/whois.$i >/tmp/diff.$i<br /> if [ -s /tmp/diff.$i ]<br /> then<br /> echo DIFF in $i:<br /> cat /tmp/diff.$i<br /> fi<br /> cat /tmp/whois.$i >/var/log/whois.$i<br />doneGrymoirehttps://www.blogger.com/profile/14085895194551806713noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-25825691066230718052010-05-23T04:52:26.312-04:002010-05-23T04:52:26.312-04:00Hi,
This is really interesting, efficient and ......Hi,<br /><br />This is really interesting, efficient and ...cheap.<br /><br />- When vendors sell Data leak prevention, you can implement a single ngrep with a predefined pattern identifying documents classification (internal, secret...etc)<br /><br />- When there's a need to implement file monitoring: tripwire e.g with fine selection of WHAT files to monitor is possible, without paying that much.<br /><br />- I particularily loved this article:<br />"http://www.ghacks.net/2009/10/22/asset-scanning-with-nmap-and-ndiff/"<br /><br />I plan to implement monitoring with nagios and scripts this way.<br />I personnaly plan to identify first in my perimeter which files to monitor and why.. It's like waf or web app security, you can't connect a waf and leave, which is most of the time deficient ... You have to identify first with apps developpers which parameter HAS to be checked with what value.. and why :)<br />Like in OSSEC, i first have to identify assets, apps, files to monitor..<br /><br />I maybe be able to check all the things i want ..one day...<br /> <br />Anyway, Richard (and Royce !), Thanks for the whois one !<br /><br />RegardsAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-60562807847424901802010-05-23T01:05:14.488-04:002010-05-23T01:05:14.488-04:00I like this idea, Richard. Thanks for the nudge. ...I like this idea, Richard. Thanks for the nudge. Here's a version that's abstracted a bit for more general use.<br /><br />It looks like PRE tags aren't accepted, so please excuse the un-indented formatting.<br /><br />#!/bin/sh<br /><br /># Description: check whois for domains of interest.<br /><br />MYDOMAINS="example.com"<br />MYEMAIL=royce@example.net<br />MYWORKDIR=/home/royce/check<br />DIFF=/usr/bin/diff<br />WHOIS=/usr/bin/whois<br /><br />for domain in ${MYDOMAINS}; do<br /><br /> # If the working directory does not exist, create it.<br /> [ ! -d ${MYWORKDIR} ] && mkdir ${MYWORKDIR}<br /><br /> # If baseline files don't exist, create them.<br /> if [ ! -f ${MYWORKDIR}/${domain}.whois.old.txt ]; then<br /> touch ${WORKDIR}/${domain}.whois.old.txt<br /> exit 0<br /> fi<br /><br /> # Fetch WHOIS record for the domain.<br /> ${WHOIS} ${domain} > ${MYWORKDIR}/${domain}.whois.new.txt<br /><br /> # Compare old and new WHOIS records.<br /> ${DIFF} -u ${MYWORKDIR}/${domain}.whois.old.txt \<br /> ${MYWORKDIR}/${domain}.whois.new.txt >/dev/null<br /><br /> # If they differ, send an email.<br /> if [ $? != 0 ]; then<br /> ${DIFF} -u ${MYWORKDIR}/${domain}.whois.old.txt \<br /> ${MYWORKDIR}/${domain}.whois.new.txt \<br /> | mail -s "whois check: ${domain}" ${MYEMAIL}<br /> fi<br /><br /> # Save state from this run.<br /> mv ${MYWORKDIR}/${domain}.whois.new.txt \<br /> ${MYWORKDIR}/${domain}.whois.old.txt<br /><br />donetychotithonus (Royce Williams)https://www.blogger.com/profile/11317864442903503476noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-66768944780175165832010-05-23T00:40:56.578-04:002010-05-23T00:40:56.578-04:00all your post was true.
but i can't do that.
n...all your post was true.<br />but i can't do that.<br />now i'm use free hosting, because im worrying if in the next day the bad guys change this domain's dns record.<br />oh sure, it's wasn't an important site.but i'm afraid if someday the domain used to spreading malware or some unaware activity.<br />because you haven't control in real. and how if the interface was fake.<br />finally, choose the right registrar if you want having full control on your domain..http://viter.netnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-57908637066366147402010-05-22T21:38:49.657-04:002010-05-22T21:38:49.657-04:00I'd say start daily. If you have an incident,...I'd say start daily. If you have an incident, increase the frequency.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-58714216523921178222010-05-22T21:21:41.893-04:002010-05-22T21:21:41.893-04:00How often would you recommend running the script l...How often would you recommend running the script looking for differences? Daily, weekly, monthly?Anonymousnoreply@blogger.com