#!/bin/bash

# --------------

# Name: hostile-host-check
# Purpose: Check an IP address against DShield's hostile host database to
# determine if others are seeing hostile activity from a host at that
# IP address.
# Usage: hostile-host-check ip_address

# Example:

# $ ./hostile-host-check 207.46.193.254
# Name: wwwtk2test2.microsoft.com
# GeoIP Country Edition: US, United States
# DShield First Reported: 2009-07-30
# DShield Most Recent Report: 2009-12-29
# DShield URL: http://www.dshield.org/ipdetails.html?ip=207.46.193.254

# Created: January 8, 2010
# Last updated: August 9, 2016
# Version: 1.0a

# ---------------

# Determine the Fully Qualified Domain Name (FQDN), if any,
# associated with the given IP address

DetermineFQDN() {
fqdn=`host $ip`
#
# At this point, the value for fqdn will be in one of the 2 forms shown below:
#
# 25.219.133.198.in-addr.arpa domain name pointer www.cisco.com.
# Host 1.0.168.192.in-addr.arpa not found: 3(NXDOMAIN)
#
# Strip out everything up to and including .arpa
# See http://tldp.org/LDP/abs/html/string-manipulation.html
fqdn=${fqdn#*arpa}
# If a name was not found, strip away ": 3(NXDOMAIN)"
remove=':*NXDOMAIN)'
fqdn=${fqdn%$remove}
# If a name was found, strip away " domain name pointer " then remove the 
# period from the end of the name.
remove=' domain name pointer '
fqdn=${fqdn#$remove}
fqdn=${fqdn%.}
}

# ---------------

# DShield Check

DShield_Check() {

outfile="dshield_tmp.html"
url='http://www.dshield.org/ipinfo.html?ip='${ip}
# The same line contains the date a report was first submitted and the
# date of the most recent report
noentries='<td align="right">Most Recent Report: </td><td><a href="/date.html?'

# wget by default will use "wget x.y.z" for the "user-agent" header it sends
# to a webserver, where x.y.z is the version of wget, e.g. 1.8.2. DShield
# is apparently now blocking access based on the user-agent header.
# If wget uses its default header, DShield will display "Sorry. This page may 
# not be spidered." By having wget pretend to be Internet Explorer, the page 
# can still be retrieved. 
wget --user-agent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" --quiet --output-document=$outfile $url
dshield_search=`grep "$noentries" $outfile`
dshield_first=${dshield_search#*date.html?date=}
dshield_last=${dshield_search##*date.html?date=}
remove='"*table>'
dshield_first=${dshield_first%%$remove}
dshield_last=${dshield_last%%$remove}
 
}

# ---------------

# Usage: hostile-host-check ip_address

if [ -z "$1" ]
then
  scriptname=`basename $0`
  echo "Usage $scriptname ip_address"
  exit
fi

ip=$1 

DetermineFQDN
DShield_Check

echo "Name: $fqdn"
geoiplookup $ip
echo "DShield First Reported: $dshield_first"
echo "DShield Most Recent Report: $dshield_last"
echo "DShield URL: http://www.dshield.org/ipinfo.html?ip=$ip"