Hi again, Everyone:
I didn't expect such a response so quickly. With your indulgence, I'll
quote the code in this message. I just found out that Outlook (which is
what I'm forced to use at Volvo) won't attach .ida files and I *think* this
list strips attachments in any case.
I don't remember offhand who put the link on this list for the original
code. Most of it I didn't write, but have done some heavy carving and
additions in spots. The IP-to-ISP lookup misses entirely about 2% of the
time and needs a tiny-bit better parsing to determing the "best" of several
provided email addresses for the ISP. I just haven't got that far yet :-)
But the script works as intended, unattended. BTW, do remember to insert
the AddType directive (near the top of the script in the propaganda) into
your Apache config and reload Apache else the script won't activate.
Be ready for your mailbox to fill. Personally, I had to turn off CC'ing
myself on every complaint it generated, but I do check all the logs (syslog
and the Apache logs) several times a day and I do keep a running count in a
database for offline processing.
I'd appreciate any modifications or bug-fixes. I'm not a spit-hot PHP
programmer YET, but maybe someday when I grow up with all of your help. I
really appreciate the education and encouragement that is freely handed out
over this list. THIS is more like a community of folks actually doing GOOD
things than any other list to which I've subscribed.
Best regards,
Bill
file: default.ida
<?
/*
Code red autoresponder does the following:
- Checks the whois for the attacking host
- Emails the offender Internet Service Provider, supplying hostname,
target and date
- Stores the attack into a file with information if email has been sent
or:
- Stores the attack into /var/log/syslog
In order for this script to function, you need the following:
- Add .ida to AddType application/x-httpd-php in httpd.conf
- A writable directory for the user running the webserver or:
- A file called code-red_ips.txt in your $path which has mode 770
bad2da / Efnet #php
#############################################
08/13/2001 jwwf ([EMAIL PROTECTED]) Substantially modified to examine
all the root authorities, not just RIPE. Authorities can be
added or removed at liberty by changing the $Authorities
array.
09/01/2001 jwwf ([EMAIL PROTECTED]) Fixed the lookup so it actually
looks up. Removed logging to file since Safe Mode has so
many
restrictions on file writing. Uses SYSLOG now.
*/
/* Configuration */
$name = "admin"; // The name you want your send the email AS
$from = "[EMAIL PROTECTED]"; // put the "From" email address here
$DefaultSendTo = "[EMAIL PROTECTED]";
// $path = "/lib/www/html";
// Path was removed in this version
$logt = "syslog"; // file or syslog 09/01/2001 jwwf ONLY log to syslog
$ThisWebServerFQDN = getenv( "SERVER_NAME" );
/* jwwf Patch to use all available authorities until we find this guy */
$Authorities = array( 'whois.arin.net', 'whois.ripe.net', 'whois.apnic.net'
);
/* Define Variables */
$date = date(r);
/* Is the client behind a proxy? */
if($HTTP_X_FORWARDED_FOR)
{
$ip = $HTTP_X_FORWARDED_FOR;
}
elseif($HTTP_VIA)
{
$ip = $HTTP_VIA;
}
elseif($REMOTE_ADDR)
{
$ip = $REMOTE_ADDR;
}
else
{
die();
}
$host = gethostbyaddr($ip);
/*
In the case that no-one claimed to hold responsibility for this IP address,
it "might" be spoofed. There are probably other authorities to query. If
anyone knows who they might be, please let me know. Bill
*/
if ( $host == $ip ) {
$host = "possibly spoofed";
}
/* Define email message */
/* jwwf - Corrected spelling, worked on grammar a bit */
$subject = "Code Red Infection Attempt from $ip to $ThisWebServerFQDN";
$message = "This message has been automatically generated by
$ThisWebServerFQDN.\n\n";
$message .= "At $date we received an Code Red Infection attempt from a
webserver on your network, from address ";
$message .= "$ip ($host). We would like to assist in preventing hosts from
your network from ";
$message .= "infecting any more hosts on the internet and to put a stop to
the worm.\n\n\n";
$message .= "Information about the Code Red Virus Worm\n\n";
$message .= "A Very Real and Present Threat to the Internet:\n\n";
$message .= "Install the patch today\n\n";
$message .= "Summary: The Code Red Worm and mutations of the worm pose a
continued ";
$message .= "and serious threat to Internet users. Immediate action is
required to ";
$message .= "combat this threat. Users who have deployed software that is
vulnerable ";
$message .= "to the worm (Microsoft IIS Versions 4.0 and 5.0) must
install, if they ";
$message .= "have not done so already, a vital security patch\n";
$message .= "How Big Is The Problem? On July 19, the Code Red worm
infected more ";
$message .= "than 250,000 systems in just 9 hours. The worm scans the
Internet, ";
$message .= "identifies vulnerable systems, and infects these systems by
installing ";
$message .= "itself. Each newly installed worm joins all the others
causing the rate ";
$message .= "of scanning to grow rapidly. This uncontrolled growth in
scanning directly ";
$message .= "decreases the speed of the Internet and can cause sporadic
but widespread ";
$message .= "outages among all types of systems. Code Red is likely to
start spreading ";
$message .= "again on July 31st, 2001 8:00 PM EDT and has mutated so that
it may be even ";
$message .= "more dangerous. This spread has the potential to disrupt
business and ";
$message .= "personal use of the Internet for applications such as
electronic commerce, ";
$message .= "email and entertainment.\n\n";
$message .= "Who Must Act? Every organization or person who has Windows NT
or Windows ";
$message .= "2000 systems AND the IIS web server software may be
vulnerable. IIS is ";
$message .= "installed automatically for many applications. If you are not
certain, ";
$message .= "follow the instructions to determine whether you are running
IIS 4.0 or ";
$message .= "5.0. If you are using Windows 95, Windows 98, Windows Me,
Windows XP ";
$message .= "RC1 or later, or Windows .NET Server build 3505 or later,
there is no ";
$message .= "action that you need to take in response to this alert.\n\n";
$message .= "What To Do If You Are Vulnerable?\n\n";
$message .= "a. To rid your machine of the current worm, reboot your
computer.\n";
$message .= "b. To protect your system from re-infection: Install the
patch ";
$message .= "as specified in the instructions.\n\n";
$message .= "The security bulletin that describes the patch and the
vulnerability ";
$message .= "it addresses is posted at: ";
$message .=
"http://www.microsoft.com/technet/security/bulletin/MS01-033.asp\n\n";;
$message .= "For more information on this situation, \n";
$message .= "point your browser here:\n";
$message .=
"http://www.microsoft.com/technet/security/bulletin/MS01-033.asp\n";;
$message .= "http://news.excite.com/news/ap/010805/20/code-red\n";;
$message .= "http://news.cnet.com/news/0-1003-201-6625599-0.html\n";;
$message .= "If you have are running this Operating System, Microsoft
suggests that \n";
$message .= "you obtain and run the patch as soon as possible:\n";
$message .= "For Windows NT:\n";
$message .=
"http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833\n";;
$message .= "For Windows 2000:\n";
$message .=
"http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800\n";;
$message .= "Because of the importance of this threat, ";
$message .= "this alert is being made jointly by: \n";
$message .= "Microsoft \n";
$message .= "The National Infrastructure Protection Center \n";
$message .= "Federal Computer Incident Response Center (FedCIRC) \n";
$message .= "Information Technology Association of America (ITAA) \n";
$message .= "CERT Coordination Center \n";
$message .= "SANS Institute \n";
$message .= "Internet Security Systems \n";
$message .= "Internet Security Alliance \n";
$headers .= "From: $name <$from>\n";
$headers .= "Reply-To: Administrator <[EMAIL PROTECTED]>\n";
$headers .= "X-Mailer: PHP\n"; // mailer
$headers .= "X-Priority: 1\n"; // Urgent message!
$headers .= "Return-Path: Administrator <[EMAIL PROTECTED]>\n";
// Return path for errors
$GotResponse = false;
// jwwf - major patching to accommodate multiple authority lookups
// ARIN makes a messy output. To get what we want we have to requery using
the NIC
// handle to get the email address for the contact. First, replace this
skimpy output
// with the output that has the required data in it
foreach ( $Authorities as $Authority ) {
if ( $GotResponse ) { break; }
$RespondingAuthority = $Authority;
@exec("/usr/bin/whois $ip@$Authority", $WholeResponse, $status );
$UWholeResponse = strtoupper( join( " ", $WholeResponse) );
if ( ( strpos( $UWholeResponse, "NO ENTRIES" ) === false ) && (
strpos( $UWholeResponse, "NO MATCH" ) === false ) ) {
$GotResponse = true;
$Keepgoing = true;
foreach ( $WholeResponse as $Line ) {
if ( ( $Authority == "whois.arin.net" ) && ( $Keepgoing ) )
{
$StartPos = strpos( $Line, chr(40) );
if ( !( $StartPos === false ) ) {
$StartPos++;
$RightSide = strpos( $Line, chr(41)
);
$RightSide = $RightSide - $StartPos;
$Query = substr( $Line, $StartPos,
$RightSide );
$Query .= "@whois.arin.net";
unset( $WholeResponse );
@exec( "/usr/bin/whois !$Query",
$WholeResponse, $status );
$Keepgoing = false;
break;
}
}
}
}
}
// APNIC and RIPE produce similar reports. ARIN on the other hand makes
// you work twice as hard to find an email address. With ARIN, one must
// perform a double-query (as above) to get the information associated
// with a network's NIC handle. APNIC and RIPE just hand it to you
// straightaway.
unset( $SendTo ); // just for effect
if ( $RespondingAuthority != "whois.arin.net" ) {
foreach ( $WholeResponse as $Line ) {
list( $Key, $Value ) = explode( ":", $Line );
if ( strtoupper( $Key ) == "E-MAIL" ) {
$SendTo = trim( $Value );
break;
}
}
} else {
foreach ( $WholeResponse as $Line ) {
$Words = explode( " ", trim( $Line ) );
foreach ( $Words as $Word ) {
if
(eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*$",$Word)) {
$SendTo = $Word;
break;
}
}
if ( isset( $SendTo ) ) { break; }
}
}
if ( !isset( $SendTo ) ) {
$SendTo = $DefaultSendTo;
} else {
$SendTo .= ",".$DefaultSendTo;
}
define_syslog_variables();
openlog("httpd", LOG_PERROR, LOG_DAEMON);
/* Email the offender */
if (!empty($SendTo)) {
mail($SendTo, $subject, $message, $headers);
syslog(LOG_WARNING,"Code red from $host email sent to $SendTo");
}
closelog();
// now inform the attacker that the jig is up
echo "<html><head><title>Code Red Attack Detected</title></head>\n";
echo "<body>\n";
echo "Code Red attacker: Your ISP has already been notified!<br><br>\n";
$message = nl2br( $message );
echo "$message\n";
echo "</body></html>\n";
?>
