昨日あたりからしょっちゅうネットが見れなくなって、NECのルータのPPPoE接続をOFF/ONすることで一時的に回復させていた。最初はルータが寿命か?と思ったけど、どうやらそうでもなさそう。
外部からのハッキングについては今まであまり調べたことがなかったんだけど、この機会に調べてみようと思い、TclでAtermのログを解析するスクリプトを書いてみた。
書いた後で気づくのもなんだけど、誰がアクセスしてきてるのか分かったところで、こっちから逆に攻撃するわけにもいかず、大して役に立たない。
強力なルータに変えたら攻撃に耐えられるようになるのだろうか?その辺よく分からない。とりあえず早まってLa Fonera 2.0nを注文してしまった。前から買うつもりだったので、「しまった」というのはわざとらしいですが。
内容的には以下のようなもの。
- ログを読み込んで"NAT RX Not Found : TCP"という怪しいログを探す。
- その行から送り元のIPアドレスを抽出する。IPアドレスのヒストグラムを作成する。
- IPアドレスをwhoisに投げて、ドメインの情報を取得する。
- IPアドレスごとに、アクセスランキング、whoisの情報を列挙する。
以下、スクリプト。
#!/usr/bin/tclsh package require http # Example log #2010/05/04 02:37:52 NAT RX Not Found : TCP 58.214.9.254 : 29538 > XXX.XXX.XXX.XXX : XXXXX (IP-PORT=7) append ptn {^(d{4}/d{2}/d{2} d{2}:d{2}:d{2})} append ptn { (.+)} append ptn { (TCP|UDP)} append ptn { (d{1,3}.d{1,3}.d{1,3}.d{1,3}).?:.?(d+)} append ptn { >} append ptn { (d{1,3}.d{1,3}.d{1,3}.d{1,3}).?:.?(d+)} append ptn { (.+)$} puts "Regex pattern {$ptn}n" array set ipaddr {} if {$argc == 1} { set logFile [lindex $argv 0] puts "Extract ip addresses from $logFilen" if {[catch {open $logFile} ch]} { error $ch } } else { error "usage: command [logfile]" } while {![eof $ch]} { gets $ch line if {$line eq ""} {continue} if {![regexp $ptn $line l tim msg ptc sad spt dad dpt ipp]} { puts "Not match : $line" } else { if {[regexp {192.+} $sad]} {continue} set key $sad if {[info exists ipaddr($key)]} { incr ipaddr($key) } else { set ipaddr($key) 1 } } } puts "" puts "Source ip addresses extracted from lines including "NAT RX Not Found"" puts "IP addresst: Match count" set ranklist [list] foreach {ip cnt} [array get ipaddr] { lappend ranklist [list $ip $cnt] } #foreach ipcnt [lsort -index 1 -integer -decreasing $ranklist] { # foreach {ip cnt} $ipcnt break # puts "$ipt: [format %4d $cnt]" #} puts "" array set countries {} set rank 1 foreach ipcnt [lsort -index 1 -integer -decreasing $ranklist] { foreach {ip cnt} $ipcnt break set whoisurl "http://whois.ansi.co.jp/?key=$ip" set token [http::geturl $whoisurl] set data [http::data $token] puts "---------------------------" puts "ip : $ip" puts "access count : $ipaddr($ip), rank : $rank" foreach var {orgname netname descr country} { unset -nocomplain $var regexp -nocase -linestop "$var:\s*(.+)" $data d $var if {[info exists $var]} { puts "$vart: [set $var]" if {[string tolower $var] eq "country"} { if {[info exists countries($country)]} { incr countries($country) } else { set countries($country) 1 } } } } http::cleanup $token incr rank } |
これにログを読み込ませる。
tclsh ip_extractor.tcl system.log > analysis.log
読み込ませたファイル。
2010/05/04 05:23:34 NAT RX Not Found : UDP 76.88.224.3 : 55178 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:23:43 NAT RX Not Found : TCP 61.115.131.79 : 58944 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:23:44 NAT RX Not Found : UDP 76.88.224.3 : 55178 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:23:46 NAT RX Not Found : TCP 61.115.131.79 : 58944 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:23:52 NAT RX Not Found : UDP 124.18.199.180 : 6346 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:23:52 NAT RX Not Found : TCP 61.115.131.79 : 58944 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:23:54 NAT RX Not Found : UDP 76.88.224.3 : 55178 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:23:59 NAT RX Not Found : TCP 58.241.15.96 : 46034 > 123.198.192.200 : 6881 (IP-PORT=7) 2010/05/04 05:24:01 NAT RX Not Found : UDP 69.14.100.155 : 33784 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:24:02 NAT RX Not Found : TCP 58.241.15.96 : 46034 > 123.198.192.200 : 6881 (IP-PORT=7) 2010/05/04 05:24:02 NAT RX Not Found : TCP 61.115.131.79 : 59051 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:24:05 NAT RX Not Found : TCP 61.115.131.79 : 59051 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:24:06 NAT RX Not Found : UDP 118.156.206.104 : 24866 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:24:08 NAT RX Not Found : TCP 58.241.15.96 : 46034 > 123.198.192.200 : 6881 (IP-PORT=7) 2010/05/04 05:24:11 NAT RX Not Found : TCP 61.115.131.79 : 59051 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:24:15 NAT TX-INFO TCP Synchronize Flag OFF : TCP 192.168.121.2 : 31735 > 202.238.95.159 : 80 (IP-PORT=7) 2010/05/04 05:24:47 NAT RX Not Found : UDP 125.206.56.1 : 14912 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:25:02 NAT RX Not Found : TCP 115.177.35.151 : 52035 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:25:05 NAT RX Not Found : TCP 115.177.35.151 : 52035 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:25:11 NAT RX Not Found : TCP 115.177.35.151 : 52035 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:25:30 NAT RX Not Found : TCP 58.241.15.96 : 46411 > 123.198.192.200 : 6881 (IP-PORT=7) 2010/05/04 05:25:33 NAT RX Not Found : TCP 58.241.15.96 : 46411 > 123.198.192.200 : 6881 (IP-PORT=7) 2010/05/04 05:25:39 NAT RX Not Found : TCP 58.241.15.96 : 46411 > 123.198.192.200 : 6881 (IP-PORT=7) 2010/05/04 05:25:50 NAT RX Not Found : TCP 220.14.142.113 : 4536 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:25:52 NAT RX Not Found : TCP 220.14.142.113 : 4536 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:25:58 NAT RX Not Found : TCP 220.14.142.113 : 4536 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:25:59 NAT RX Not Found : UDP 220.14.142.113 : 27521 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:27:00 NAT RX Not Found : UDP 98.212.65.88 : 9803 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:27:19 NAT RX Not Found : TCP 58.241.15.96 : 46863 > 123.198.192.200 : 6881 (IP-PORT=7) 2010/05/04 05:27:22 NAT RX Not Found : TCP 58.241.15.96 : 46863 > 123.198.192.200 : 6881 (IP-PORT=7) 2010/05/04 05:27:28 NAT RX Not Found : TCP 58.241.15.96 : 46863 > 123.198.192.200 : 6881 (IP-PORT=7) 2010/05/04 05:28:11 NAT RX Not Found : UDP 71.71.6.19 : 6583 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:29:16 NAT RX Not Found : TCP 58.241.15.96 : 47359 > 123.198.192.200 : 6881 (IP-PORT=7) 2010/05/04 05:29:19 NAT RX Not Found : TCP 58.241.15.96 : 47359 > 123.198.192.200 : 6881 (IP-PORT=7) 2010/05/04 05:29:25 NAT RX Not Found : TCP 58.241.15.96 : 47359 > 123.198.192.200 : 6881 (IP-PORT=7) 2010/05/04 05:31:18 NAT RX Not Found : TCP 58.241.15.96 : 47864 > 123.198.192.200 : 6881 (IP-PORT=7) 2010/05/04 05:31:21 NAT RX Not Found : TCP 58.241.15.96 : 47864 > 123.198.192.200 : 6881 (IP-PORT=7) 2010/05/04 05:31:27 NAT RX Not Found : TCP 58.241.15.96 : 47864 > 123.198.192.200 : 6881 (IP-PORT=7) 2010/05/04 05:31:47 NAT RX Not Found : UDP 68.45.32.61 : 20285 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:31:57 NAT RX Not Found : UDP 68.45.32.61 : 20285 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:31:58 NAT RX Not Found : UDP 125.206.56.1 : 14912 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:32:03 NAT RX Not Found : UDP 200.204.157.112 : 27440 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:32:07 NAT RX Not Found : UDP 68.45.32.61 : 20285 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:32:11 NAT RX Not Found : TCP 125.230.96.67 : 4128 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:32:25 NAT RX Not Found : UDP 77.160.21.36 : 39670 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:32:30 NAT RX Not Found : UDP 93.65.197.42 : 16939 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:32:52 NAT RX Not Found : UDP 93.39.113.141 : 55035 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:32:57 NAT RX Not Found : UDP 41.234.182.59 : 64906 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:32:57 NAT RX Not Found : UDP 41.201.70.18 : 35774 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:33:04 NAT RX Not Found : UDP 71.61.136.157 : 55844 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:33:06 NAT RX Not Found : TCP 58.241.15.96 : 48308 > 123.198.192.200 : 6881 (IP-PORT=7) 2010/05/04 05:33:07 IP_Filter REJECT UDP 192.168.121.2:138 > 192.168.121.255:138 (IP-PORT=0) 2010/05/04 05:33:08 NAT RX Not Found : TCP 220.24.250.240 : 52600 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:33:09 NAT RX Not Found : UDP 95.132.201.163 : 1398 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:33:09 NAT RX Not Found : TCP 58.241.15.96 : 48308 > 123.198.192.200 : 6881 (IP-PORT=7) 2010/05/04 05:33:14 NAT RX Not Found : TCP 220.24.250.240 : 52600 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:33:15 NAT RX Not Found : TCP 58.241.15.96 : 48308 > 123.198.192.200 : 6881 (IP-PORT=7) 2010/05/04 05:33:16 NAT RX Not Found : UDP 85.229.65.60 : 53895 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:33:22 NAT RX Not Found : UDP 81.227.116.42 : 17116 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:33:28 NAT RX Not Found : UDP 60.241.227.184 : 6800 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:33:34 NAT RX Not Found : UDP 76.8.182.14 : 50162 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:33:42 NAT RX-INFO TCP Synchronize Flag OFF : TCP 66.249.89.101 : 80 > 123.198.192.200 : 32233 (IP-PORT=7) 2010/05/04 05:33:42 NAT RX-INFO TCP Synchronize Flag OFF : TCP 66.249.89.101 : 80 > 123.198.192.200 : 32233 (IP-PORT=7) 2010/05/04 05:33:43 NAT RX-INFO TCP Synchronize Flag OFF : TCP 66.249.89.101 : 80 > 123.198.192.200 : 32233 (IP-PORT=7) 2010/05/04 05:33:43 NAT RX-INFO TCP Synchronize Flag OFF : TCP 66.249.89.101 : 80 > 123.198.192.200 : 32233 (IP-PORT=7) 2010/05/04 05:33:45 NAT RX-INFO TCP Synchronize Flag OFF : TCP 66.249.89.101 : 80 > 123.198.192.200 : 32233 (IP-PORT=7) 2010/05/04 05:33:49 NAT RX-INFO TCP Synchronize Flag OFF : TCP 66.249.89.101 : 80 > 123.198.192.200 : 32233 (IP-PORT=7) 2010/05/04 05:33:56 NAT RX-INFO TCP Synchronize Flag OFF : TCP 66.249.89.101 : 80 > 123.198.192.200 : 32233 (IP-PORT=7) 2010/05/04 05:34:12 NAT RX Not Found : UDP 202.28.25.7 : 25054 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:34:13 NAT RX Not Found : UDP 119.246.143.103 : 24684 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:34:16 NAT RX Not Found : UDP 24.131.145.99 : 15957 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:34:32 NAT RX Not Found : UDP 88.247.212.138 : 36798 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:34:39 NAT RX Not Found : UDP 114.24.170.29 : 27211 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:34:51 NAT TX-INFO TCP Synchronize Flag OFF : TCP 192.168.121.2 : 32233 > 66.249.89.101 : 80 (IP-PORT=7) 2010/05/04 05:34:51 NAT RX Not Found : UDP 60.198.85.221 : 19402 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:34:53 NAT TX-INFO TCP Synchronize Flag OFF : TCP 192.168.121.2 : 32233 > 66.249.89.101 : 80 (IP-PORT=7) 2010/05/04 05:34:58 NAT TX-INFO TCP Synchronize Flag OFF : TCP 192.168.121.2 : 32233 > 66.249.89.101 : 80 (IP-PORT=7) 2010/05/04 05:34:59 NAT RX Not Found : UDP 88.247.212.138 : 36798 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:35:07 NAT TX-INFO TCP Synchronize Flag OFF : TCP 192.168.121.2 : 32233 > 66.249.89.101 : 80 (IP-PORT=7) 2010/05/04 05:35:08 NAT RX Not Found : UDP 88.247.212.138 : 36798 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:35:16 NAT RX Not Found : UDP 120.42.90.87 : 1041 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:35:19 NAT RX Not Found : UDP 88.247.212.138 : 36798 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:35:27 NAT TX-INFO TCP Synchronize Flag OFF : TCP 192.168.121.2 : 32233 > 66.249.89.101 : 80 (IP-PORT=7) 2010/05/04 05:35:29 NAT RX Not Found : UDP 123.225.16.81 : 16789 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:35:44 NAT RX Not Found : UDP 88.195.141.136 : 11095 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:35:48 NAT RX Not Found : TCP 58.241.15.96 : 48975 > 123.198.192.200 : 6881 (IP-PORT=7) 2010/05/04 05:35:51 NAT RX Not Found : TCP 58.241.15.96 : 48975 > 123.198.192.200 : 6881 (IP-PORT=7) 2010/05/04 05:35:56 NAT RX Not Found : TCP 58.241.15.96 : 48975 > 123.198.192.200 : 6881 (IP-PORT=7) 2010/05/04 05:35:57 NAT TX-INFO TCP Synchronize Flag OFF : TCP 192.168.121.2 : 32233 > 66.249.89.101 : 80 (IP-PORT=7) 2010/05/04 05:35:58 NAT RX Not Found : UDP 24.185.21.194 : 48239 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:36:06 NAT RX Not Found : UDP 71.194.74.86 : 15980 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:36:14 NAT RX Not Found : UDP 82.105.15.163 : 7856 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:36:23 NAT RX Not Found : UDP 71.77.14.235 : 17360 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:36:26 NAT RX Not Found : UDP 87.127.170.17 : 33818 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:36:36 NAT RX Not Found : UDP 83.51.27.231 : 25068 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:36:39 NAT RX Not Found : UDP 211.18.117.156 : 18187 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:37:03 NAT RX Not Found : UDP 84.125.144.29 : 22185 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:37:07 NAT RX Not Found : UDP 62.150.95.185 : 61801 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:37:10 NAT RX Not Found : UDP 123.225.16.81 : 16789 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:37:10 NAT RX Not Found : UDP 90.38.211.48 : 62435 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:37:18 NAT RX Not Found : UDP 123.225.16.81 : 16789 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:37:21 NAT RX Not Found : UDP 92.118.95.86 : 17469 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:37:21 NAT RX Not Found : TCP 58.241.15.96 : 49359 > 123.198.192.200 : 6881 (IP-PORT=7) 2010/05/04 05:37:22 NAT RX Not Found : UDP 91.109.71.128 : 8972 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:37:24 NAT RX Not Found : TCP 58.241.15.96 : 49359 > 123.198.192.200 : 6881 (IP-PORT=7) 2010/05/04 05:37:30 NAT RX Not Found : TCP 58.241.15.96 : 49359 > 123.198.192.200 : 6881 (IP-PORT=7) 2010/05/04 05:37:32 NAT RX Not Found : UDP 123.225.16.81 : 16789 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:37:34 IP_Filter REJECT UDP 192.168.121.2:138 > 192.168.121.255:138 (IP-PORT=0) 2010/05/04 05:37:50 NAT RX Not Found : UDP 115.163.184.50 : 4338 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:37:51 NAT RX Not Found : UDP 206.74.134.37 : 38899 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:37:55 NAT RX Not Found : UDP 206.74.134.37 : 38899 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:38:01 NAT RX Not Found : UDP 206.74.134.37 : 38899 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:38:01 NAT RX Not Found : UDP 98.197.178.199 : 11179 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:38:01 NAT RX Not Found : UDP 79.234.26.90 : 22847 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:38:04 NAT RX Not Found : UDP 95.90.152.213 : 16626 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:38:07 NAT RX Not Found : UDP 84.127.194.139 : 24186 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:38:17 NAT RX Not Found : TCP 111.252.200.10 : 4690 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:38:20 NAT RX Not Found : TCP 111.252.200.10 : 4690 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:38:21 NAT RX Not Found : UDP 41.97.163.60 : 53318 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:38:24 NAT RX Not Found : UDP 114.47.1.36 : 7229 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:38:27 NAT RX Not Found : UDP 204.210.191.101 : 20702 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:38:31 NAT RX Not Found : UDP 189.106.17.175 : 50042 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:38:33 NAT RX Not Found : UDP 206.74.134.37 : 38899 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:38:36 NAT RX Not Found : UDP 84.131.61.33 : 57815 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:38:37 NAT RX Not Found : UDP 204.210.191.101 : 20702 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:38:38 NAT RX Not Found : UDP 78.150.142.253 : 51725 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:38:38 NAT RX Not Found : UDP 75.189.221.232 : 55010 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:38:41 NAT RX Not Found : UDP 189.106.17.175 : 50042 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:38:46 NAT RX Not Found : UDP 118.12.130.29 : 42077 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:38:47 NAT RX Not Found : UDP 204.210.191.101 : 20702 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:38:47 NAT RX Not Found : UDP 203.112.41.190 : 18679 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:38:51 NAT RX Not Found : UDP 189.106.17.175 : 50042 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:38:53 NAT RX-INFO TCP Synchronize Flag OFF : TCP 202.238.95.159 : 80 > 123.198.192.200 : 32247 (IP-PORT=7) 2010/05/04 05:38:54 NAT RX-INFO TCP Synchronize Flag OFF : TCP 202.238.95.159 : 80 > 123.198.192.200 : 32247 (IP-PORT=7) 2010/05/04 05:38:55 NAT RX-INFO TCP Synchronize Flag OFF : TCP 202.238.95.159 : 80 > 123.198.192.200 : 32247 (IP-PORT=7) 2010/05/04 05:39:02 NAT RX Not Found : UDP 189.104.107.206 : 9405 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:39:03 NAT RX Not Found : TCP 123.218.90.84 : 2997 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:39:05 NAT RX Not Found : UDP 84.245.231.224 : 52749 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:39:05 NAT RX Not Found : UDP 118.12.130.29 : 42077 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:39:06 NAT RX Not Found : TCP 123.218.90.84 : 2997 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:39:12 NAT RX Not Found : TCP 123.218.90.84 : 2997 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:39:13 NAT RX Not Found : UDP 119.172.116.20 : 42900 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:39:19 NAT RX Not Found : UDP 118.12.130.29 : 42077 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:39:27 NAT RX Not Found : UDP 204.210.191.101 : 20702 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:39:27 NAT RX Not Found : UDP 82.160.207.5 : 12366 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:39:28 NAT RX Not Found : UDP 90.191.0.62 : 53511 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:39:31 NAT RX Not Found : UDP 189.106.17.175 : 50042 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:39:37 NAT RX Not Found : UDP 204.210.191.101 : 20702 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:39:41 NAT RX Not Found : UDP 189.106.17.175 : 50042 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:39:47 NAT RX Not Found : UDP 204.210.191.101 : 20702 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:39:48 NAT RX Not Found : UDP 70.92.142.238 : 20567 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:39:49 NAT RX Not Found : UDP 203.112.41.190 : 18679 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:39:50 IP_Filter REJECT UDP 192.168.121.2:137 > 192.168.121.255:137 (IP-PORT=0) 2010/05/04 05:39:51 IP_Filter REJECT UDP 192.168.121.2:137 > 192.168.121.255:137 (IP-PORT=0) 2010/05/04 05:39:51 NAT RX Not Found : UDP 119.172.116.20 : 42900 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:39:51 NAT RX Not Found : UDP 189.106.17.175 : 50042 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:39:51 IP_Filter REJECT UDP 192.168.121.2:137 > 192.168.121.255:137 (IP-PORT=0) 2010/05/04 05:39:52 NAT RX Not Found : UDP 124.18.199.180 : 6346 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:39:54 NAT RX Not Found : UDP 190.172.81.242 : 43547 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:39:56 NAT RX Not Found : UDP 85.50.242.196 : 43435 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:39:57 NAT RX Not Found : UDP 41.218.250.83 : 10009 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:39:57 NAT RX Not Found : UDP 92.4.43.46 : 63017 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:39:59 NAT RX Not Found : TCP 123.218.90.84 : 3047 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:40:01 NAT RX Not Found : TCP 203.112.41.190 : 54727 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:40:02 NAT RX Not Found : TCP 123.218.90.84 : 3047 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:40:08 NAT RX Not Found : TCP 123.218.90.84 : 3047 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:40:10 NAT RX Not Found : UDP 123.204.194.226 : 9717 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:40:18 NAT RX Not Found : UDP 61.115.131.79 : 45888 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:40:19 NAT RX Not Found : UDP 118.12.130.29 : 42077 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:40:27 NAT RX Not Found : UDP 204.210.191.101 : 20702 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:40:31 NAT RX Not Found : UDP 189.106.17.175 : 50042 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:40:34 NAT RX Not Found : UDP 112.202.64.49 : 60185 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:40:37 NAT RX Not Found : UDP 204.210.191.101 : 20702 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:40:38 NAT RX Not Found : TCP 124.10.130.99 : 3412 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:40:41 NAT RX Not Found : UDP 189.106.17.175 : 50042 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:40:47 NAT RX Not Found : UDP 204.210.191.101 : 20702 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:40:51 NAT RX Not Found : UDP 189.106.17.175 : 50042 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:41:10 NAT RX Not Found : UDP 87.255.14.75 : 62348 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:41:12 NAT RX Not Found : TCP 220.24.250.240 : 54754 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:41:15 NAT RX Not Found : TCP 220.24.250.240 : 54754 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:41:15 NAT RX Not Found : UDP 89.215.86.234 : 27319 > 123.198.192.200 : 28566 (IP-PORT=7) 2010/05/04 05:41:21 NAT RX Not Found : TCP 220.24.250.240 : 54754 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:41:22 NAT RX Not Found : UDP 220.24.250.240 : 6346 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:41:39 NAT RX Not Found : UDP 61.115.131.79 : 45888 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:41:55 NAT RX Not Found : TCP 58.241.15.96 : 50491 > 123.198.192.200 : 6881 (IP-PORT=7) 2010/05/04 05:41:55 IP_Filter REJECT UDP 192.168.121.2:137 > 192.168.121.255:137 (IP-PORT=0) 2010/05/04 05:41:56 IP_Filter REJECT UDP 192.168.121.2:137 > 192.168.121.255:137 (IP-PORT=0) 2010/05/04 05:41:57 IP_Filter REJECT UDP 192.168.121.2:137 > 192.168.121.255:137 (IP-PORT=0) 2010/05/04 05:41:58 NAT RX Not Found : TCP 58.241.15.96 : 50491 > 123.198.192.200 : 6881 (IP-PORT=7) 2010/05/04 05:42:04 NAT RX Not Found : TCP 58.241.15.96 : 50491 > 123.198.192.200 : 6881 (IP-PORT=7) 2010/05/04 05:42:18 NAT RX Not Found : UDP 125.206.56.1 : 14912 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:42:31 NAT RX Not Found : UDP 189.106.17.175 : 50042 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:42:41 NAT RX Not Found : UDP 189.106.17.175 : 50042 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:42:43 NAT RX Not Found : UDP 118.12.130.29 : 42077 > 123.198.192.200 : 44619 (IP-PORT=7) 2010/05/04 05:42:51 NAT RX Not Found : UDP 189.106.17.175 : 50042 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:43:08 NAT RX Not Found : UDP 121.55.221.252 : 42521 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:43:18 NAT RX Not Found : UDP 121.55.221.252 : 42521 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:43:27 NAT RX Not Found : UDP 204.210.191.101 : 20702 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:43:28 NAT RX Not Found : UDP 121.55.221.252 : 42521 > 123.198.192.200 : 47590 (IP-PORT=7) 2010/05/04 05:43:32 NAT RX Not Found : UDP 61.115.131.79 : 45888 > 123.198.192.200 : 44619 (IP-PORT=7)
結果は以下の通り。トップは北京からのアクセスしてきた人みたいです。http://ip.corporationwiki.com/58.241.15.0/
ちなみにwhois情報が表示されていないやつは、日本のドメインだと思います。フォーマットが違うので対応してないです(単に手抜き)。日本からのアクセスはあんまり問題ないかと思って。
Regex pattern {^(d{4}/d{2}/d{2} d{2}:d{2}:d{2}) (.+) (TCP|UDP) (d{1,3}.d{1,3}.d{1,3}.d{1,3}).?:.?(d+) > (d{1,3}.d{1,3}.d{1,3}.d{1,3}).?:.?(d+) (.+)$} Extract ip addresses from system.log Source ip addresses extracted from lines including "NAT RX Not Found" IP address : Match count --------------------------- ip : 58.241.15.96 access count : 27, rank : 1 netname : YONGFENG-ADSL-USER descr : YONGFENG ADSL USER,JIANGSU PROVINCE country : CN --------------------------- ip : 189.106.17.175 access count : 12, rank : 2 orgname : Latin American and Caribbean IP address Regional Registry netname : NET189 country : UY --------------------------- ip : 204.210.191.101 access count : 10, rank : 3 orgname : Road Runner HoldCo LLC netname : ROAD-RUNNER-4 country : US --------------------------- ip : 61.115.131.79 access count : 9, rank : 4 --------------------------- ip : 66.249.89.101 access count : 7, rank : 5 orgname : Google Inc. netname : GOOGLE country : US --------------------------- ip : 123.218.90.84 access count : 6, rank : 6 netname : OCN descr : NTT Communications Corporation country : JP --------------------------- ip : 220.24.250.240 access count : 6, rank : 7 netname : BBTECH descr : Japan nation-wide Network of SOFTBANK BB CORP country : JP --------------------------- ip : 118.12.130.29 access count : 5, rank : 8 netname : OCN descr : NTT Communications Corporation country : JP --------------------------- ip : 123.225.16.81 access count : 4, rank : 9 netname : OCN descr : NTT Communications Corporation country : JP --------------------------- ip : 88.247.212.138 access count : 4, rank : 10 netname : TurkTelekom descr : TT ADSL-alcatel static_aci country : tr --------------------------- ip : 220.14.142.113 access count : 4, rank : 11 netname : BBTECH descr : Japan nation-wide Network of SOFTBANK BB CORP country : JP --------------------------- ip : 206.74.134.37 access count : 4, rank : 12 --------------------------- ip : 125.206.56.1 access count : 3, rank : 13 netname : OCN descr : NTT Communications Corporation country : JP --------------------------- ip : 76.88.224.3 access count : 3, rank : 14 orgname : Road Runner HoldCo LLC netname : RRWE country : US --------------------------- ip : 202.238.95.159 access count : 3, rank : 15 --------------------------- ip : 203.112.41.190 access count : 3, rank : 16 netname : STNet descr : STNet, Incorporated country : JP --------------------------- ip : 68.45.32.61 access count : 3, rank : 17 --------------------------- ip : 115.177.35.151 access count : 3, rank : 18 netname : InfoWeb descr : FUJITSU LIMITED country : JP --------------------------- ip : 121.55.221.252 access count : 3, rank : 19 netname : KUENTOS-GU descr : Kuentos Communications, Inc. country : GU --------------------------- ip : 111.252.200.10 access count : 2, rank : 20 netname : HINET-NET descr : CHTD, Chunghwa Telecom Co.,Ltd. country : TW --------------------------- ip : 119.172.116.20 access count : 2, rank : 21 netname : ATNETHOME-JP descr : Technology Networks Inc. country : JP --------------------------- ip : 124.18.199.180 access count : 2, rank : 22 netname : commufa descr : Chubu Telecommunications Co.,Inc. country : JP --------------------------- ip : 70.92.142.238 access count : 1, rank : 23 orgname : Road Runner HoldCo LLC netname : RRWE country : US --------------------------- ip : 112.202.64.49 access count : 1, rank : 24 netname : IPG descr : IPG country : PH --------------------------- ip : 200.204.157.112 access count : 1, rank : 25 orgname : Latin American and Caribbean IP address Regional Registry netname : LACNIC-200 country : UY --------------------------- ip : 120.42.90.87 access count : 1, rank : 26 netname : CHINANET-FJ descr : CHINANET FUJIAN PROVINCE NETWORK country : CN --------------------------- ip : 41.218.250.83 access count : 1, rank : 27 orgname : African Network Information Center netname : NET41 country : MU --------------------------- ip : 75.189.221.232 access count : 1, rank : 28 orgname : Road Runner HoldCo LLC netname : RRMA country : US --------------------------- ip : 93.65.197.42 access count : 1, rank : 29 netname : VODAFONE-IT descr : IP addresses reserved to DSL subscribers country : IT --------------------------- ip : 82.160.207.5 access count : 1, rank : 30 netname : PL-ABP-COMPUTER descr : ABP Computer Piotr Roslaw Adrowski country : PL --------------------------- ip : 92.4.43.46 access count : 1, rank : 31 netname : CPWBBSERV-NET descr : Carphone Warehouse Broadband Services country : GB --------------------------- ip : 83.51.27.231 access count : 1, rank : 32 netname : RIMA descr : Telefonica de Espana SAU country : ES --------------------------- ip : 84.125.144.29 access count : 1, rank : 33 netname : ES-ONO-20040415 descr : PROVIDER Local Registry country : ES --------------------------- ip : 85.50.242.196 access count : 1, rank : 34 netname : UNI2-NET descr : Addresses IP for Home clients country : ES --------------------------- ip : 90.38.211.48 access count : 1, rank : 35 netname : IP2000-ADSL-BAS descr : BSPOI257 Poitiers Bloc 2 country : FR --------------------------- ip : 95.90.152.213 access count : 1, rank : 36 netname : KABEL-DEUTSCHLAND-CUSTOMER-SERVICES-19 descr : Kabel Deutschland Breitband Customer 19 country : DE --------------------------- ip : 69.14.100.155 access count : 1, rank : 37 --------------------------- ip : 98.212.65.88 access count : 1, rank : 38 --------------------------- ip : 81.227.116.42 access count : 1, rank : 39 netname : TELIANET descr : Telia Network Services country : SE --------------------------- ip : 119.246.143.103 access count : 1, rank : 40 netname : CTIHK descr : City Telecom (H.K.) Ltd. country : HK --------------------------- ip : 87.255.14.75 access count : 1, rank : 41 netname : BIGTELECOM descr : BIG TELECOM CLOSED JSC country : RU --------------------------- ip : 90.191.0.62 access count : 1, rank : 42 netname : EE-ESTPAK descr : Dynamic links country : EE --------------------------- ip : 84.245.231.224 access count : 1, rank : 43 netname : LIVASTELECOMMUNICATION descr : Cable Internet Home users based on DOCSIS standard. country : LV --------------------------- ip : 124.10.130.99 access count : 1, rank : 44 netname : TFN-NET descr : Taiwan Fixed Network CO.,LTD. country : TW --------------------------- ip : 78.150.142.253 access count : 1, rank : 45 netname : OPAL-DSL descr : Opal Telecom DSL country : GB --------------------------- ip : 71.61.136.157 access count : 1, rank : 46 orgname : Comcast Cable Communications Holdings, Inc netname : CCCH-3-34 country : US --------------------------- ip : 71.194.74.86 access count : 1, rank : 47 --------------------------- ip : 41.201.70.18 access count : 1, rank : 48 orgname : African Network Information Center netname : NET41 country : MU --------------------------- ip : 84.127.194.139 access count : 1, rank : 49 netname : ES-ONO-20040415 descr : PROVIDER Local Registry country : ES --------------------------- ip : 95.132.201.163 access count : 1, rank : 50 netname : UKRTELNET descr : Ukrtelecom IP network country : ua --------------------------- ip : 79.234.26.90 access count : 1, rank : 51 netname : DTAG-DIAL24 descr : Deutsche Telekom AG country : DE --------------------------- ip : 118.156.206.104 access count : 1, rank : 52 netname : KDDI descr : KDDI CORPORATION country : JP --------------------------- ip : 71.77.14.235 access count : 1, rank : 53 orgname : Road Runner HoldCo LLC netname : RRMA country : US --------------------------- ip : 84.131.61.33 access count : 1, rank : 54 netname : DTAG-DIAL19 descr : Deutsche Telekom AG country : DE --------------------------- ip : 89.215.86.234 access count : 1, rank : 55 netname : GIGABITNET descr : Gigabit Net country : BG --------------------------- ip : 123.204.194.226 access count : 1, rank : 56 netname : SEEDNET-NET descr : Digital United Inc. country : TW --------------------------- ip : 202.28.25.7 access count : 1, rank : 57 netname : THAINET-TH descr : UniNet(Inter-university network) country : TH --------------------------- ip : 41.97.163.60 access count : 1, rank : 58 orgname : African Network Information Center netname : NET41 country : MU --------------------------- ip : 24.185.21.194 access count : 1, rank : 59 --------------------------- ip : 114.24.170.29 access count : 1, rank : 60 netname : HINET-NET descr : CHTD, Chunghwa Telecom Co.,Ltd. country : TW --------------------------- ip : 88.195.141.136 access count : 1, rank : 61 netname : SONERA-FINLAND-BBNET descr : Broadband access pool country : FI --------------------------- ip : 190.172.81.242 access count : 1, rank : 62 orgname : Latin American and Caribbean IP address Regional Registry netname : NET190 country : UY --------------------------- ip : 98.197.178.199 access count : 1, rank : 63 --------------------------- ip : 76.8.182.14 access count : 1, rank : 64 orgname : Mikrotec Internet Services, Inc. netname : MISNET country : US --------------------------- ip : 189.104.107.206 access count : 1, rank : 65 orgname : Latin American and Caribbean IP address Regional Registry netname : NET189 country : UY --------------------------- ip : 91.109.71.128 access count : 1, rank : 66 netname : OUK-LLU22-18 descr : Range2 Manchester /18 country : GB --------------------------- ip : 71.71.6.19 access count : 1, rank : 67 orgname : Road Runner HoldCo LLC netname : RRMA country : US --------------------------- ip : 82.105.15.163 access count : 1, rank : 68 netname : TIWS-SMART-3 descr : Telecom Italia S.p.A. country : IT --------------------------- ip : 77.160.21.36 access count : 1, rank : 69 netname : NL-PMG-ADSL descr : ADSL37 country : NL --------------------------- ip : 92.118.95.86 access count : 1, rank : 70 netname : ON-TELECOMS-NET descr : IP addresses for ON customers country : GR --------------------------- ip : 62.150.95.185 access count : 1, rank : 71 netname : KW-MOC-20000926 descr : QualityNet General Trading & Contracting Co. country : KW --------------------------- ip : 114.47.1.36 access count : 1, rank : 72 netname : HINET-NET descr : CHTD, Chunghwa Telecom Co.,Ltd. country : TW --------------------------- ip : 93.39.113.141 access count : 1, rank : 73 netname : FASTWEB-DPPU descr : Infrastructure for Fastwebs main location country : IT --------------------------- ip : 41.234.182.59 access count : 1, rank : 74 orgname : African Network Information Center netname : NET41 country : MU --------------------------- ip : 24.131.145.99 access count : 1, rank : 75 --------------------------- ip : 125.230.96.67 access count : 1, rank : 76 netname : HINET-NET descr : CHTD, Chunghwa Telecom Co.,Ltd. country : TW --------------------------- ip : 87.127.170.17 access count : 1, rank : 77 netname : ENTANET-84635-ADSL descr : Entanet Customer country : GB --------------------------- ip : 60.198.85.221 access count : 1, rank : 78 netname : TFN-NET descr : Taiwan Fixed Network CO.,LTD. country : TW --------------------------- ip : 211.18.117.156 access count : 1, rank : 79 --------------------------- ip : 115.163.184.50 access count : 1, rank : 80 netname : So-net descr : So-net Entertainment Corporation country : JP --------------------------- ip : 85.229.65.60 access count : 1, rank : 81 netname : B2-BISP descr : B2 customers in bor1 country : SE --------------------------- ip : 60.241.227.184 access count : 1, rank : 82 netname : TPG-AU descr : TPG Internet Pty Ltd. country : AU