[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference powdml::pc_security

Title:PERSONAL COMPUTER SECURITY
Notice:SWEEP servers Note 5; more info on www-is-security.mso.dec.com
Moderator:BSS::BOREN
Created:Wed Jan 02 1991
Last Modified:Fri Jun 06 1997
Last Successful Update:Fri Jun 06 1997
Number of topics:504
Total number of notes:2905

495.0. "Looking up ALL-IN-1 sender of infected docs" by EINE::ANDERSON (Partial Parrothead) Thu Apr 03 1997 03:17

    For you managers of ALL-IN-1 systems, I have mangled up some com files
    to help identify which evil people sent the infected documents found
    in the ALL-IN-1 file cabinet overnight by SWEEP. 
    
    I tweaked SHARED_MAIL.COM so it never asks questions, and use this
    to lookup the document details. 
    
    I wrote a yukky LOOKUP_ALLIN1.COM to create a temp com file to
    drive SHARED_MAIL to lookup document details and pull the details into
    an email that can be posted to whoever. I setup SCHEDULER so that
    LOOKUP_ALLIN1 runs after the VSWEEP jobs on the cluster. 
    
    I'll post these tiny com files as replies.
    
    Regards
    Keith
T.RTitleUserPersonal
Name		DateLines
495.2shared_mail.comEINE::ANDERSONPartial ParrotheadThu Apr 03 1997 03:19197
$!
$!	Routine Name	: SHARED_MAIL.COM
$!
$!	Author		: Richard Griffiths
$!
$!	Date		: 2-FEB-1996
$!
$!	Version		: V1.0
$!
$!	Description	: Routine to find who owns a file within the shared
$!			  mail directory.
$!
$!	Change History	: V1.0  2-FEB-1996  Richard Griffiths
$!
$!----------------------------------------------------------------------------------------------------------------------------------
$!		Routine requires user to have READALL or BYPASS privilege.
$!
$set noon
$ IF .NOT.F$PRIVILEGE("BYPASS").AND..NOT.F$PRIVILEGE("READALL")
$ THEN
$	WRITE SYS$OUTPUT " "
$	WRITE SYS$OUTPUT " This procedures requires either READALL or BYPASS privilege.  No action taken."
$	WRITE SYS$OUTPUT " "
$	EXIT
$ ENDIF
$!		Get a directory listing of DOCDB.DAT files if required.
$!
$ PID = F$GETJPI("","PID")
$ FIND_DOCDBS = 0
$ IF F$SEARCH("SYS$LOGIN:DOCDB.LIS").EQS.""
$ THEN
$	FIND_DOCDBS = 1
$ ELSE
$	IF F$CVTIME(F$FILE("SYS$LOGIN:DOCDB.LIS","CDT"),,"DATE").LTS.F$CVTIME("-7-0",,"DATE")
$	THEN
$		!READ/PROMPT="* SYS$LOGIN:DOCDB.LIS is over a week old.  Generate a new one? [N]: " SYS$OUTPUT OPTION
$		!OPTION = F$EXTRACT(0,1,OPTION)
$		option = "Y"
$		IF OPTION.EQS."Y" THEN FIND_DOCDBS = 1
$	ENDIF
$ ENDIF
$!
$ IF FIND_DOCDBS
$ THEN 
$LOOP1:
$	DEV = F$DEVICE("*D*","DISK",)
$	IF DEV .EQS. "" THEN GOTO END_LOOP1
$	MEDIA_TYPE = F$GETDVI(DEV,"MEDIA_TYPE")
$	IF F$GETDVI(DEV,"SHDW_MEMBER") .EQS. "FALSE" .AND. -					! Not a shadow member
	(MEDIA_TYPE.EQS."DU" .OR. MEDIA_TYPE.EQS."DK" .OR. -				! DU or DK device media type
	MEDIA_TYPE.EQS."DI" .OR. MEDIA_TYPE.EQS."DJ") .AND. -				! DJ or DI device media type
	F$GETDVI(DEV,"SWL") .EQS. "FALSE" .AND. -						! Not software write locked
	F$GETDVI(DEV,"MNT") .EQS. "TRUE"  .AND. -						! Mounted
	F$GETDVI(DEV,"ALL") .EQS. "FALSE" .AND. -						! Not allocated
	F$GETDVI(DEV,"FOR") .EQS. "FALSE" .AND. -						! Not mounted foreign
	F$GETDVI(DEV,"VOLNUMBER") .EQ. 1							! Primary volume member
$	THEN
$!
$!		Remove leading underscore from device name
$!
$		IF F$EXTRACT(0,1,DEV) .EQS. "_" THEN DEV = DEV - "_"
$!
$!		If this device can be defined by a logical name in the 
$!		form DISK$volumelabel then use this instead of the physical name
$!
$		DEV = F$GETDVI(DEV,"LOGVOLNAM") 
$		IF DEV.EQS."" THEN DEV = F$GETDVI(DEV,"VOLNAM")
$!
$		WRITE SYS$OUTPUT "  Looking for DOCDB.DAT files on ''DEV'"
$		DIRECTORY/NOHEAD/NOTRAIL/OUTPUT=SYS$LOGIN:DOCDB_'DEV'_'PID'.TMP 'DEV':[*...]DOCDB.DAT
$	ENDIF
$	GOTO LOOP1
$END_LOOP1:
$	COPY SYS$LOGIN:DOCDB_*_'PID'.TMP SYS$LOGIN:DOCDB.LIS
$	DELETE SYS$LOGIN:DOCDB_*_'PID'.TMP;*
$	WRITE SYS$OUTPUT "  Created file SYS$LOGIN:DOCDB.LIS"
$ ENDIF
$!----------------------------------------------------------------------------------------------------------------------------------
$!		Get shared file to search for.
$!
$LOOP2:
$ IF P1.EQS.""
$ THEN
$	READ/PROMPT="* Give shared filename: " SYS$OUTPUT SHARED_FILESPEC
$ ELSE
$	SHARED_FILESPEC = P1
$ ENDIF
$ IF F$SEARCH(SHARED_FILESPEC).EQS.""
$ THEN
$	WRITE SYS$OUTPUT "  File ''SHARED_FILESPEC' not found."
$	GOTO LOOP2
$ ENDIF
$!
$!		Ensure filespec in format OA$SHARy:file.typ
$!
$ IF F$LOCATE("[",SHARED_FILESPEC).NE.F$LENGTH(SHARED_FILESPEC)
$ THEN
$	DIRE_SPEC = F$PARSE(SHARED_FILESPEC,,,"DIRECTORY")
$	SHARED_DIRECTORY = F$ELEMENT(1,".",DIRE_SPEC) - "]" + ":"
$	FILE_NAME = F$PARSE(SHARED_FILESPEC,,,"NAME")
$	FILE_TYPE = F$PARSE(SHARED_FILESPEC,,,"TYPE")
$	SHARED_FILESPEC = "OA$" + SHARED_DIRECTORY + FILE_NAME + FILE_TYPE 
$ ENDIF
$!----------------------------------------------------------------------------------------------------------------------------------
$!		Search all the DOCDB.DAT files for this message file.
$!
$ IF P2.NES."RECURSIVE"
$ THEN
$	OPEN/WRITE OUTFILE SYS$LOGIN:SHARED_MAIL.LIS
$	WRITE OUTFILE " "
$ ENDIF
$ OPEN/READ/SHARE INFILE SYS$LOGIN:DOCDB.LIS
$ SET MESSAGE/NOF/NOI/NOS/NOT
$ FILE_FOUND = 0
$LOOP3:
$ READ/END=END_LOOP3 INFILE LINE
$ DOCDB = F$ELEMENT(0,";",LINE)
$ SEARCH/NOOUTPUT 'DOCDB' 'SHARED_FILESPEC'
$ IF $SEVERITY.EQ.1
$ THEN
$	FILE_FOUND = 1
$	WRITE OUTFILE    "  Message pointer ''SHARED_FILESPEC' found in ''DOCDB'"
$	WRITE SYS$OUTPUT "  Message pointer ''SHARED_FILESPEC' found in ''DOCDB'"
$	SEARCH/OUTPUT=SYS$LOGIN:SHARED_MAIL_'PID'.TMP4 'DOCDB' 'SHARED_FILESPEC'
$	EXCHANGE/NET/FDL=SYS$INPUT SYS$LOGIN:SHARED_MAIL_'PID'.TMP4 SYS$LOGIN:SHARED_MAIL_'PID'.TMP5
RECORD; FORMAT FIXED; SIZE 255
$	OPEN/READ INFILE2 SYS$LOGIN:SHARED_MAIL_'PID'.TMP5
$	READ INFILE2 LINE
$	CLOSE INFILE2
$	WRITE OUTFILE "    Folder :    " + F$EDIT(F$EXTRACT(1,31,LINE),"TRIM")
$	WRITE OUTFILE "    Subject:    " + F$EDIT(F$EXTRACT(115,72,LINE),"TRIM")
$	WRITE OUTFILE "    Sender :    " + F$EDIT(F$EXTRACT(187,30,LINE),"TRIM")
$	WRITE OUTFILE " "
$	WRITE SYS$OUTPUT "    Folder :    " + F$EDIT(F$EXTRACT(1,31,LINE),"TRIM")
$	WRITE SYS$OUTPUT "    Subject:    " + F$EDIT(F$EXTRACT(115,72,LINE),"TRIM")
$	WRITE SYS$OUTPUT "    Sender :    " + F$EDIT(F$EXTRACT(187,30,LINE),"TRIM")
$	WRITE SYS$OUTPUT " "
$ ENDIF
$ GOTO LOOP3
$END_LOOP3:
$ SET MESSAGE/F/I/S/T
$ CLOSE INFILE
$!
$ IF FILE_FOUND.EQ.1
$ THEN
$!
$!		End of search - file located in DOCDB.DAT file(s).
$!
$	CLOSE OUTFILE
$	WRITE SYS$OUTPUT "  File SYS$LOGIN:SHARED_MAIL.LIS created."
$	DELETE SYS$LOGIN:SHARED_MAIL_'PID'.TMP*;*
$	EXIT
$ ENDIF
$!----------------------------------------------------------------------------------------------------------------------------------
$!		File not found in DOCDBs - must be an attachment.
$!		Search sDAF files for file to which this message is attached.
$!
$ AREA = F$EXTRACT(7,1,SHARED_FILESPEC)
$ SET MESSAGE/NOF/NOI/NOS/NOT
$ SEARCH/OUTPUT=SYS$LOGIN:SHARED_MAIL_'PID'.TMP  OA$SHAR'AREA':OA$DAF_'AREA'.DAT "''SHARED_FILESPEC'"
$ SEARCH/OUTPUT=SYS$LOGIN:SHARED_MAIL_'PID'.TMP2 SYS$LOGIN:SHARED_MAIL_'PID'.TMP "''SHARED_FILESPEC'    "/MATCH=NAND
$ SEVERITY = $SEVERITY
$ SET MESSAGE/F/I/S/T
$ DELETE SYS$LOGIN:SHARED_MAIL_'PID'.TMP;*
$ IF SEVERITY.NE.1
$ THEN
$	SDAFS = ""
$	IF F$TRNLNM("OA$SHARA").NES."".AND.AREA.NES."A" THEN SDAFS = SDAFS + "OA$SHARA:OA$DAF_A.DAT,"
$	IF F$TRNLNM("OA$SHARB").NES."".AND.AREA.NES."B" THEN SDAFS = SDAFS + "OA$SHARB:OA$DAF_B.DAT,"
$	IF F$TRNLNM("OA$SHARC").NES."".AND.AREA.NES."C" THEN SDAFS = SDAFS + "OA$SHARC:OA$DAF_C.DAT,"
$	IF F$TRNLNM("OA$SHARD").NES."".AND.AREA.NES."D" THEN SDAFS = SDAFS + "OA$SHARD:OA$DAF_D.DAT,"
$	IF F$TRNLNM("OA$SHARE").NES."".AND.AREA.NES."E" THEN SDAFS = SDAFS + "OA$SHARE:OA$DAF_E.DAT,"
$	SDAFS = SDAFS + "ZZZ" - ",ZZZ"				! Remove trailing comma.
$	SET MESSAGE/NOF/NOI/NOS/NOT
$	SEARCH/OUTPUT=SYS$LOGIN:SHARED_MAIL_'PID'.TMP  'SDAFS' "''SHARED_FILESPEC'"/NOHEAD 
$	SEARCH/OUTPUT=SYS$LOGIN:SHARED_MAIL_'PID'.TMP2 SYS$LOGIN:SHARED_MAIL_'PID'.TMP "''SHARED_FILESPEC'    "/MATCH=NAND
$	SEVERITY = $SEVERITY
$	SET MESSAGE/F/I/S/T
$	DELETE SYS$LOGIN:SHARED_MAIL_'PID'.TMP;*
$	IF SEVERITY.NE.1
$	THEN
$		WRITE SYS$OUTPUT "  File ''SHARED_FILESPEC' not referenced in any of the sDAF files."
$		EXIT
$	ENDIF
$ ENDIF
$ EXCHANGE/NET/FDL=SYS$INPUT SYS$LOGIN:SHARED_MAIL_'PID'.TMP2 SYS$LOGIN:SHARED_MAIL_'PID'.TMP3
RECORD; FORMAT FIXED; SIZE 80
$ DELETE SYS$LOGIN:SHARED_MAIL_'PID'.TMP2;*
$ OPEN/READ INFILE SYS$LOGIN:SHARED_MAIL_'PID'.TMP3
$ READ INFILE LINE
$ CLOSE INFILE
$ DELETE SYS$LOGIN:SHARED_MAIL_'PID'.TMP3;*
$ NEW_SHARED_FILESPEC = F$EDIT(F$EXTRACT(F$LOCATE("OA$SHAR",LINE),40,LINE),"TRIM")
$ WRITE OUTFILE    "  File ''SHARED_FILESPEC' is attached to ''NEW_SHARED_FILESPEC'"
$ WRITE SYS$OUTPUT "  File ''SHARED_FILESPEC' is attached to ''NEW_SHARED_FILESPEC'"
$ @'F$ENVIRONMENT("PROCEDURE") "''NEW_SHARED_FILESPEC'" "RECURSIVE"
$ EXIT
495.3lookup_allin1.comEINE::ANDERSONPartial ParrotheadThu Apr 03 1997 19:3194
    The lines marked with ****** must be changed for your site.
    
$	set noon
$	set noverify
$	on control_y then goto end
$	write sys$output -
 "Lookup information about documents in shared areas of ALL-IN-1 File Cabinet" 
$	write sys$output "Documents detected by VSWEEP to have viruses"
$	write sys$output  ""
$! If VSWEEP finds any new viruses in the ALLIN-1 file cabinet, then 
$! lookup the owner/source using ye old SHARED_MAIL.COM and send result
$! as email to whoever.
$! 
****** $ vsweep$dir == "DISK$USER2:[VSWEEP]"
$ reports$dir = vsweep$dir - "]" + ".REPORTS]"
$
$	write sys$output  "Checking SWEEP report files..."
$!	any new VSWEEP WIDE report files (just the last one tanks!)
$	directx /since=today 'reports$dir'vsweep_*_wide.txt;0/out=temp1.tmp-
    	/col=1/nohead/notrail
$	if .not. $status then goto end1
$
$	count	= 0
$	open/error=end infile1	temp1.tmp
$	! now scan each report file...
$	open/write outfile	temp2.tmp
$	write outfile	"$ write sys$output ""Start time ",f$cvtime(),""""
$
$ file_loop:
$	! get filename of new WIDE report file
$	read/end=end infile1 file1
$	write sys$output file1
$	if file1 .eqs. "" then goto end
$
$	! open that WIDE report file
$	open/read infile2 'file1
$ read_loop:
$	! get each infected file name out of that report file
$	read/end=end_read_loop infile2 line
$!	write sys$output line
$	filename = f$edit(f$extract(16,90,line),"COMPRESS")
$	write sys$output "   ",filename
$	! if the filename contains OA$SHARE then its one we want
$	if f$locate("OA$SHARE",filename) .ne. f$length(filename)
$	then ! you're the one that I want, oo-oo-oo
$	   count	= count + 1
$	   write outfile	"$ write sys$output "" """
$	   write outfile	"$ write sys$output ""***",filename,"***"""
$	   write outfile	"$ @",vsweep$dir,"shared_mail ",filename
$	endif
$	goto read_loop
$ end_read_loop:
$	write outfile	"$ write sys$output "" """
$	write outfile	"$ write sys$output ""End time ",f$cvtime(),""""
$	close infile2
$ 	goto file_loop
$
$ end:
$	close outfile
$	close infile1
$	delete temp1.tmp;
$	if count .gt. 0 
$	then
$	    write sys$output  "Have built list of infected files."
$	    write sys$output  "Now looking up document information..."
$	    ! we have now a temp2.tmp command file containing the DCL to lookup
$	    ! the owners of infected files. 
$	    @temp2.tmp/out=temp3.tmp
$ 	    write sys$output  ""
$	    write sys$output  "Sending mail about the documents..."
$	    mail/subj="UA:Viruses found in shared areas of ALL-IN-1 File Cabinet" -
******		temp3.tmp system	! send mail to WHO???
$	    delete temp2.tmp;
$	    write sys$output  " "
$	    write sys$output  "Mail sent contains:"
$	    type temp3.tmp
$	else
$	    write sys$output  "No infected documents in ALLIN1 shares."
$	endif
$	write sys$output  ""
$	delete temp3.tmp;
$	write sys$output  "Exit."
$	exit
$ error:
$	write sys$output  "Cleanup..."
$	close infile1
$	close infile2
$	close outfile
$	delete temp1.tmp;,temp2.tmp;,temp3.tmp;
$	exit
$ end1:
$	write sys$output  "No new virus WIDE report files found."
$	delete temp1.tmp;
$	exit