DOH! Thanks for the heads-up, David. Here's the code I promised.
My apologies!
Bill
-------8<-------8<-------8<-------8<-------8<-------8<-------8<-
<?
/*
Code red autoresponder does the following:
- Checks the whois for the attacking host
- Emails the offender's Internet Service Provider, supplying hostname,
target and date
- Stores the attack into a file with information if email has been sent
or:
- Stores the attack into /var/log/syslog
In order for this script to function, you need the following:
- Add .ida to AddType application/x-httpd-php in httpd.conf
- A writable directory for the user running the webserver or:
- A file called code-red_ips.txt in your $path which has mode 770
bad2da / Efnet #php
#############################################
08/13/2001 jwwf ([EMAIL PROTECTED]) Substantially modified to examine
all the root authorities, not just RIPE. Authorities can be
added or removed at liberty by changing the $Authorities
array.
*/
/* Configuration */
$name = "admin";
$from = "you@yourmailbox";
$DefaultSendTo = "you@youradminmailbox";
$path = "/lib/www/html";
$logt = "syslog"; // file or syslog
// jwwf Patch to use all available authorities until we find this guy.
There
// are more than just these three, and APNIC may automatically refer.
$Authorities = array( 'whois.arin.net', 'whois.ripe.net', 'whois.apnic.net'
);
/* Define Variables */
$date = date(r);
/* Is the client behind a proxy? */
if($HTTP_X_FORWARDED_FOR)
{
$ip = $HTTP_X_FORWARDED_FOR;
}
elseif($HTTP_VIA)
{
$ip = $HTTP_VIA;
}
elseif($REMOTE_ADDR)
{
$ip = $REMOTE_ADDR;
}
else
{
die();
}
$host = gethostbyaddr($ip);
/* Define email message */
// jwwf refine spelling *just* a bit.
$subject = "Code Red Infection Attempt from $ip to $HTTP_HOST";
$message = "At $date we received an Code Red Infection attempt on our
$host from a webserver on your network, namely, ";
$message .= "$ip. We would like to help you out and in preventing hosts
from your network from ";
$message .= "infecting any more hosts on the internet and in putting a
stop to the worm\n\n\n";
$message .= "Information about the Code Red Virus Worm\n\n";
$message .= "A Very Real and Present Threat to the Internet:\n\n";
$message .= "Install the patch today\n\n";
$message .= "Summary: The Code Red Worm and mutations of the worm pose a
continued ";
$message .= "and serious threat to Internet users. Immediate action is
required to ";
$message .= "combat this threat. Users who have deployed software that is
vulnerable ";
$message .= "to the worm (Microsoft IIS Versions 4.0 and 5.0) must
install, if they ";
$message .= "have not done so already, a vital security patch\n\n";
$message .= "How Big Is The Problem? On July 19, the Code Red worm
infected more ";
$message .= "than 250,000 systems in just 9 hours. The worm scans the
Internet, ";
$message .= "identifies vulnerable systems, and infects these systems by
installing ";
$message .= "itself. Each newly installed worm joins all the others
causing the rate ";
$message .= "of scanning to grow rapidly. This uncontrolled growth in
scanning directly ";
$message .= "decreases the speed of the Internet and can cause sporadic
but widespread ";
$message .= "outages among all types of systems. Code Red is likely to
start spreading ";
$message .= "again on July 31st, 2001 8:00 PM EDT and has mutated so that
it may be even ";
$message .= "more dangerous. This spread has the potential to disrupt
business and ";
$message .= "personal use of the Internet for applications such as
electronic commerce, ";
$message .= "email and entertainment.\n\n";
$message .= "Who Must Act? Every organization or person who has Windows NT
or Windows ";
$message .= "2000 systems AND the IIS web server software may be
vulnerable. IIS is ";
$message .= "installed automatically for many applications. If you are not
certain, ";
$message .= "follow the instructions to determine whether you are running
IIS 4.0 or ";
$message .= "5.0. If you are using Windows 95, Windows 98, Windows Me,
Windows XP ";
$message .= "RC1 or later, or Windows .NET Server build 3505 or later,
there is no ";
$message .= "action that you need to take in response to this alert.\n\n";
$message .= "What To Do If You Are Vulnerable?\n\n";
$message .= "a. To rid your machine of the current worm, reboot your
computer.\n";
$message .= "b. To protect your system from re-infection: Install the
patch ";
$message .= "as specified in the instructions.\n\n";
$message .= "The security bulletin that describes the patch and the
vulnerability ";
$message .= "it addresses is posted at: ";
$message .=
"http://www.microsoft.com/technet/security/bulletin/MS01-033.asp\n\n";;
$message .= "Because of the importance of this threat, ";
$message .= "this alert is being made jointly by: \n";
$message .= "Microsoft \n";
$message .= "The National Infrastructure Protection Center \n";
$message .= "Federal Computer Incident Response Center (FedCIRC) \n";
$message .= "Information Technology Association of America (ITAA) \n";
$message .= "CERT Coordination Center \n";
$message .= "SANS Institute \n";
$message .= "Internet Security Systems \n";
$message .= "Internet Security Alliance \n";
$headers .= "From: $name <$from>\n";
$headers .= "X-Mailer: PHP\n"; // mailer
$headers .= "X-Priority: 1\n"; // Urgent message!
$headers .= "Reply-To: $from\n"; // jwwf - in case the ISP actually
replies
$headers .= "Return-Path: <$from>\n"; // Return path for errors
// jwwf - more fiddling with the original code
$GotResponse = false;
// ARIN makes a messy output. To get what we want we have to requery using
the NIC
// handle to get the email address for the contact. First, replace this
skimpy output
// with the output that has the required data in it
foreach ( $Authorities as $Authority ) {
if ( $GotResponse ) { break; }
$RespondingAuthority = $Authority;
@exec("/usr/bin/whois $ip@$Authority", $WholeResponse, $status );
$UWholeResponse = strtoupper( join( " ", $WholeResponse) );
if ( ( strpos( $UWholeResponse, "NO ENTRIES" ) === false ) && (
strpos( $UWholeResponse, "NO MATCH" ) === false ) ) {
$GotResponse = true;
$Keepgoing = true;
foreach ( $WholeResponse as $Line ) {
if ( ( $Authority == "whois.arin.net" ) && ( $Keepgoing ) )
{
$StartPos = strpos( $Line, chr(40) );
if ( !( $StartPos === false ) ) {
$StartPos++;
$RightSide = strpos( $Line, chr(41)
);
$RightSide = $RightSide - $StartPos;
$Query = substr( $Line, $StartPos,
$RightSide );
$Query .= "@whois.arin.net";
unset( $WholeResponse );
@exec( "/usr/bin/whois !$Query",
$WholeResponse, $status );
$Keepgoing = false;
break;
}
}
}
}
}
// APNIC and RIPE produce similar reports. ARIN on the other hand makes
// you work twice as hard to find an email address. With ARIN, one must
// perform a double-query (as above) to get the information associated
// with a network's NIC handle. APNIC and RIPE just hand it to you
// straightaway.
unset( $SendTo ); // just for effect
if ( $RespondingAuthority != "whois.arin.net" ) {
foreach ( $WholeResponse as $Line ) {
list( $Key, $Value ) = explode( ":", $Line );
if ( strtoupper( $Key ) == "E-MAIL" ) {
$SendTo = trim( $Value );
break;
}
}
} else {
foreach ( $WholeResponse as $Line ) {
$Words = explode( " ", trim( $Line ) );
foreach ( $Words as $Word ) {
if
(eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*$",$Word)) {
$SendTo = $Word;
break;
}
}
if ( isset( $SendTo ) ) { break; }
}
}
if ( !isset( $SendTo ) ) {
$SendTo = $DefaultSendTo;
} else {
$SendTo .= ",".$DefaultSendTo;
}
if($logt == "file")
{
$fp = fopen($path . "/code-red_ips.txt","a+");
}
elseif($logt == "syslog")
{
define_syslog_variables();
openlog("httpd", LOG_PERROR, LOG_DAEMON);
}
/* Email the offender's ISP and also send a copy to our own sysops */
if(!empty($abuse))
{
while(list($key,$var) = each($abuse))
{
mail($var, $subject, $message, $headers);
if($logt == "file")
{
fputs($fp,"$host " . date(r) . " - Email sent to $var\n");
}
elseif($logt == "syslog")
{
syslog(LOG_WARNING,"Code red from $host email sent to $var");
}
}
}
elseif(!empty($notabuse))
{
while(list($key,$var) = each($notabuse))
{
mail($var, $subject, $message, $headers);
if($logt == "file")
{
fputs($fp, "$host " . date(r) . " - Email sent to $var\n");
}
elseif($logt == "syslog")
{
syslog(LOG_WARNING,"Code red from $host email sent to $var");
}
}
}
else
{
fputs($fp, "$host " . date(r) . " - Email not sent!\n");
}
if($logt == "file")
{
fclose($fp);
}
elseif($logt == "syslog")
{
closelog();
}
?>
---------8<---------8<---------8<---------8<---------8<---------8<
-----Original Message-----
From: David Robley [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 20, 2001 9:00 PM
To: Bill Farrell
Subject: Re: [PHP] new one is it ??
On Mon, 20 Aug 2001 23:44, [EMAIL PROTECTED] wrote:
> Hiya again, Erik:
>
> Here's the barely-tested but apparently functional Code Red detector.
> I added some variables at the top for configuring email destinations.
> The important change is that it will query ARIN, RIPE, and APNIC until
> it finds a reasonable answer. In the case of ARIN, it's necessary to
> query twice to get the email address you REALLY want, due to the number
> of Tier II providers in the States. Those don't always show up in the
> WHOIS. That caused me to do a bit more looping and fiddling until the
> answers came out the way I would expect if I were looking by eye.
>
> It may be a bit late for Code Red, but the part of the routine that
> does the authority-queries is re-usable all over the place. The code
> ain't pretty (I'm no PHP maven YET :-) but it appears to do the job.
>
> Enjoy!
> Bill
>
Bill
The mailing list strips attachments - if you include it in a message,
point us to it or email it separately to us... Or I could stick it
somewhere here where people can get at it.
--
David Robley Techno-JoaT, Web Maintainer, Mail List Admin, etc
CENTRE FOR INJURY STUDIES Flinders University, SOUTH AUSTRALIA
Those who can't write, write help files.
