grifferz · June 23, 2019 03:19
diff --git a/attackers.sh b/attackers.sh
 #!/bin/bash
 #
 # Dumb script to resolve a list of IPs to their reverse DNS and AS details.
 #
 # This directly calls whois against whois.cymru.com for each line of input
 # so if you're going to run it with hundreds of lines of input, maybe don't
 # do that and use their DNS zone instead.
 #
 # Usage
 # Pipe a list of counts and IP addresses through me like:
 #
 # $ grep badstuff /var/log/thing \
 #   | thing_to_isolate_an_IP \
 #   | sort | uniq -c | sort -rn \
 #   | attackers.sh
 #
 #
 # Then output be like:
 #
 # Count  Attacker                                       Country AS
 # -------------------------------------------------------------------------------------------------
 #    18  89.248.171.57   ( scanner20.openportstats.com) NL      INT-NETWORK, SC [AS202425]
 #     8  163.172.157.143 (143-157-172-163.rev.cloud.scaleway.com) GB      AS12876, FR [AS12876]
 #     6  104.237.134.176 (li810-176.members.linode.com) US      LINODE-AP Linode, LLC, US [AS63949]
 #     3  149.56.142.192  (       192.ip-149-56-142.net) CA      OVH, FR    [AS16276]

 printf "Count  %-45s  Country AS\n" Attacker
 printf '%.0s-' {1..97}
 echo ""
 while read count ip; do
    name=$(dig +short -x $ip | sed -e 's/\.$//')
    name="${name:-Unset reverse DNS}"

    # All this "bar" nonsense because I didn't want to have to strip the spaces.
    echo $(whois -h whois.cymru.com "-v $ip" | tail -1) \
        | while read asn bar asip bar prefix bar cc bar reg bar alloc bar asname; do
            printf "%5u  %-15s (%28s) %-7s %-10s [AS%s]\n" "$count" "$ip" "$name" "$cc" "$asname" "$asn"
          done
 done
	#!/bin/bash
	#
	# Dumb script to resolve a list of IPs to their reverse DNS and AS details.
	#
	# This directly calls whois against whois.cymru.com for each line of input
	# so if you're going to run it with hundreds of lines of input, maybe don't
	# do that and use their DNS zone instead.
	#
	# Usage
	# Pipe a list of counts and IP addresses through me like:
	#
	# $ grep badstuff /var/log/thing \
	# \| thing_to_isolate_an_IP \
	# \| sort \| uniq -c \| sort -rn \
	# \| attackers.sh
	#
	#
	# Then output be like:
	#
	# Count Attacker Country AS
	# -------------------------------------------------------------------------------------------------
	# 18 89.248.171.57 ( scanner20.openportstats.com) NL INT-NETWORK, SC [AS202425]
	# 8 163.172.157.143 (143-157-172-163.rev.cloud.scaleway.com) GB AS12876, FR [AS12876]
	# 6 104.237.134.176 (li810-176.members.linode.com) US LINODE-AP Linode, LLC, US [AS63949]
	# 3 149.56.142.192 ( 192.ip-149-56-142.net) CA OVH, FR [AS16276]

	printf "Count %-45s Country AS\n" Attacker
	printf '%.0s-' {1..97}
	echo ""
	while read count ip; do
	name=$(dig +short -x $ip \| sed -e 's/\.$//')
	name="${name:-Unset reverse DNS}"

	# All this "bar" nonsense because I didn't want to have to strip the spaces.
	echo $(whois -h whois.cymru.com "-v $ip" \| tail -1) \
	\| while read asn bar asip bar prefix bar cc bar reg bar alloc bar asname; do
	printf "%5u %-15s (%28s) %-7s %-10s [AS%s]\n" "$count" "$ip" "$name" "$cc" "$asname" "$asn"
	done
	done