For shits and giggles, I whipped up a
little Java program that serves two functions:
- when invoked with a single argument,
it connects to that host on port 80,
issues an IDQ-style request according
to Chris St. Clair's recently posted
testing methodology (only tested on IIS/5.0),
and tells you if the server appears to
be vulnerable or not
for example:
$ javac CodeRedLogger.java
$ java CodeRedLogger infected.system.com
- when invoked with no arguments, it
turns into a little multithreaded
web server on port 80, which for
each client connect, sees if the client
sends the attack signature, and if
so, connects back to the client on port
80 and performs the test mentioned above
for example:
$ javac CodeRedLogger.java
$ java CodeRedLogger
(sit back and wait)
I just wrote this off the top of my head and
tested it on a few servers.
Maybe someone wants to modify the tests
to handle IIS 4.0 servers. :)
The typical disclaimer for exploit code applies:
don't use it unless you're allowed to.
I wouldn't run this on a public server, and I
certainly wouldn't try to reverse-connect and
inject the lyseine deficiency via shellcode
(although I bet it would be easy). :)
I also would not recommend trying to do a WHOIS or
trying to send email to the server's sysadmin, because
that could just burden the infected systems even more.
Again, I just wrote it for shits and giggles. I
redirected port 80 on my firewall at home to go
to my home PC, and then have been running it on my
home PC, so I can watch worm requests come in
through my cable modem. :)
I've compiled and tested this under Sun JDK 1.2,
it should work on any 1.2 and later JDK.
Chad Loder
Principal Engineer
Rapid 7, Inc.
http://www.rapid7.com
CodeRedLogger.java
