Hiya again, Erik:
Here's the barely-tested but apparently functional Code Red detector. I added some variables at the top for configuring email destinations. The important change is that it will query ARIN, RIPE, and APNIC until it finds a reasonable answer. In the case of ARIN, it's necessary to query twice to get the email address you REALLY want, due to the number of Tier II providers in the States. Those don't always show up in the WHOIS. That caused me to do a bit more looping and fiddling until the answers came out the way I would expect if I were looking by eye.
It may be a bit late for Code Red, but the part of the routine that does the authority-queries is re-usable all over the place. The code ain't pretty (I'm no PHP maven YET :-) but it appears to do the job.
Enjoy!
Bill
-----Original Message-----
From: Erik H. Mathy [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 14, 2001 3:43 PM
To: Bill Farrell
Subject: RE: [PHP] new one is it ??
No worries. I'm not going to get all worked up when something that's free takes a bit longer than expected! :)
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 14, 2001 2:45 PM
To: [EMAIL PROTECTED]
Subject: RE: [PHP] new one is it ??
Hey!
Just wanted to let ya know that I didn't get time to work on it last night, but have been playing with it through the day. I should finish the thing tonight and test it.
I hadn't forgot ya!
Regards,
B
-----Original Message-----
From: Erik H. Mathy [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 13, 2001 1:44 PM
To: Bill Farrell
Subject: RE: [PHP] new one is it ??
You da man! You da man!
Or, in other words, that's awesome and, um, I'll take a copy when you're
done. ;)
- Erik
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Monday, August 13, 2001 12:44 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [PHP] new one is it ??
>
>
> Way cool... with a bit of work, one could query ARIN, RIPE, and APNIC
> until
> an answer was received (that's what I'm modifying it to do) else die.
> With
> the timeout set to "forever", what would we care if it takes a few extra
> seconds to go spy-out a potential
> (would-be-if-we-were-running-IIS)intruder.
>
> The author made a really nifty framework and left it pretty easy to
> modify.
> I already swiped a copy (thanks, Mark!!) and am having a ball adding my
> own
> "bends" to it.
>
> Tim, the part that does the WHOIS query is only querying RIPE. I'm
> modifying mine to loop through a known set of authorities (right now,
> the
> three I mentioned above) and to set a flag ($IGotIt or something I can
> test
> afterward with "if ( $IGotIt ) { yaddayadda }"), and to quit looking
> when it
> gets a reasonable answer.
>
> If I get it working before anyone else (doubtful, I'm still a bit slow
> with
> PHP and I'm also at work), I'd be more than happy to share.
>
> CY'all,
> Bill
>
> -----Original Message-----
> From: Tim [mailto:[EMAIL PROTECTED]]
> Sent: Monday, August 13, 2001 1:16 PM
> To: Mark Roedel
> Cc: Mark Lo; php general
> Subject: RE: [PHP] new one is it ??
>
>
> That's pretty cool. Alas, the 'whois' part of the code doesn't work
> properly (at least on my system).
>
> - Tim
>
> On 13 Aug 2001 10:21:45 -0500, Mark Roedel wrote:
> > I rather liked this approach that I saw posted in another list:
> >
> > http://www.klippan.seths.se/default.phps
> >
> > (Does some hostname/whois lookups on the infected server and attempts
> to
> > email some people who might be able to do something about it.)
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
