There are many things like this out there. I found a perl script that acts
like the 'default.ida' file CodeRed looks for and tries to shutdown the
attacking webserver and reboot the machine. That only keeps them from
attacking and scanning, it doesn't patch their machine or anything.
Here's a link to it on my machine:
http://skitzo.septicus.com/default.ida
There is also a Java app called vigilante that warns the admin, but it
wants to run as the web server listening on port 80, so if you are running
a server it's not much of an option.
Anything like these things are a bit of a tightrope, legally and ethically,
but I figure if I'm being attacked the least I can do is try and stop it
or other wise hinder the attacker and keep my own system running smoothly.
YMMV... :-/
On Friday, September 21, 2001, at 12:54 PM, Steve Torrence wrote:
> Is it possible with Perl (or is something else better) to create a script
> that would alert the administrator of a code red type worm that his
> machine was infected. I know os x can not get infected by this but my 4
> webservers are getting hammered by it and my bandwidth is dwindling. I
> know one webserver that has a great way of handling this. It's:
>
> <http://CodeRed.mdg.com>
>
> It just sends an email to the admin of that server telling them they are
> infected. Most people don't know they are infected and it might be the
> only alert they receive.
>
> It seems a script could listen on the http port for file requests that
> match certain patterns and then it could log the total hits from each
> machine and once a day or once a week send a message to the admin telling
> them they are hitting your server x amount of times a day for x amount of
> days for a total number of hits. The message could be sent once a day or
> week as long as the activity continues.
>
> Does anyone know if this can be done or better yet if a script already
> exists for it.
>
> Thanks,
>
> Steve
>
>
Cheers,
--Ed
