# (c) Dinko Korunic, 2006.
# Apache log analyser for Mambo exploits

my %attackers = ();
my %provala = ();

sub URLdecode
{
	my $theURL = $_[0];
	$theURL =~ tr/+/ /;
	$theURL =~ s/%([a-fA-F0-9]{2,2})/chr(hex($1))/eg;
	$theURL =~ s/<!--(.|\n)*-->//g;
	return $theURL;
}

while (<>)
{
	if (/^(\S+) - - .+ "GET \/index\.php\?_REQUEST\[option\]=com_content\&_REQUEST\[Itemid\]=1\&GLOBALS=\&mosConfig_absolute_path=(.+)\?&cmd=(.+)\?/i)
	{
		$attackers{$1} = 1;
		$address{URLdecode($2)} = 1;
		$commandset{URLdecode($3)} = 1;
	}
}

print "Attackers DNS labels or IPs:\n";
for $record (sort keys %attackers)
{
	print $record, "\n";
}
print "\n";

print "Source URI for Mambo exploits:\n";
for $record (sort keys %address)
{
	print $record, "\n";
}
print "\n";

print "Attack commandset [when exploited]:\n";
for $record (sort keys %commandset)
{
	print $record, "\n";
}
print "\n";