from:"Reuven M. Lerner"

Re: [OT] New Micro$oft vulnerability?

2001-09-19 Thread Reuven M. Lerner


> Jeremy Howard writes:

  Jeremy> Any suggestions on how we should respond? Update
  Jeremy> Apache::CodeRed to recognise the new signature, and send an
  Jeremy> appropriate message to postmaster and webmaster with an
  Jeremy> updated URL to point to?

Rosh Hashana just ended here in Israel, and I just checked my e-mail
-- including over 3500 messages from my poor Apache server, which was
obviously attacked quite a bit by this Nimba worm.

Once I understand what's happening, I expect to update
Apache::CodeRed and distribute a new version.  Indeed, several people
sent me suggestions and patches, so this should appear on CPAN sooner
rather than later.

  Jeremy> Reuven--are you planning on submitting an updated version to
  Jeremy> CPAN for this worm? With the same name?

I haven't yet read through all of my e-mail, let alone all of the
e-mail to the modperl list, so we'll see just what I do...

Reuven

Re: How do I STOP Apache::CodeRed sending me messages

2001-08-21 Thread Reuven M. Lerner


> Tatsuhiko Miyagawa writes:

  Miyagawa> Configuration variables for Apache::CodeRed seem to be
  Miyagawa> hardwired in CodeRed.pm itself. Reuven, why not kick out
  Miyagawa> these variables as those defined by "PerlSetVar" in
  Miyagawa> http.conf file?

Sorry, but I was away at a family retreat since Sunday morning, and
haven't had a chance to deal with Apache::CodeRed and other such
things.

I'm hoping to tinker a bit with Apache::CodeRed in the next day or so,
including changing the configuration a bit (so that you don't have to
mess with the code directly to set e-mail addresses).  However, the
idea of being able to override the hard-coded settings with PerlSetVar
is an excellent one, and I'll include that...

Reuven

Re: module to hit back at default.ida atack ?

2001-08-08 Thread Reuven M. Lerner


> Angel R Rivera writes:

  Angel> how about a way to tell it not to report an ip??  i just
  Angel> reported on myself. :)

That feature is in the latest version (1.07), thanks to David Young.

  DeWitt>> So *that's* why Reuven has CodeRed.pm CC him on the warning
  DeWitt>> emails.

  DeWitt>> And I thought he was just nuts.  ;)

I am nuts -- but in this particular case, I was just naive and foolish
to think that people would change the $cc_address variable at the top
of the program.  So I've been flooded by a ridiculous number of e-mail
messages from people who didn't change that variable.

Version 1.08, which I hope to put out tonight or tomorrow, will
improve the configuration a bit, and will also improve on the
documentation.

Reuven

Re: Revised CodeRed.pm - Wish List

2001-08-06 Thread Reuven M. Lerner


> Daniel Aldham writes:

  Daniel> Could the code be added to to add a GET /scripts.root.exe
  Daniel> and then generate a pop-up screen on the infected host
  Daniel> warning the owner/administrator. And then maybe shutdown IIS
  Daniel> & CodeRed?

Yes, I'm sure that we *could* add code to CodeRed.pm that does
everything you suggest, and more.

But I think that it would be a really bad idea.  Even if your
intentions are pure, the authorities won't look kindly on attempts to
run administrative tasks on someone else's computer.

And besides, what happens if something goes wrong?  ("Sorry, we were
just trying to help; we didn't mean to reboot your system while you
were synchronizing databases.")

Reuven

Revised CodeRed.pm

2001-08-06 Thread Reuven M. Lerner


I've modified CodeRed.pm again, such that it now (a) writes better log
messages and (b) sends an automatic message to the SecurityFocus team,
in the format that they specified.

Rather than blast the source code across this mailing list repeatedly,
I've put it up at .  I
expect to write some POD, rewrite a bunch of the comments, re-indent
the source a bit, and other such fun things.  But for the most part,
it appears to work.

Thanks for the feedback that I've received so far!  

Reuven

Revised CodeRed.pm

2001-08-05 Thread Reuven M. Lerner

;
my @hostname_components = split /\./, $remote_hostname;
my $starting_index = 0;

# Loop around until our starting index begins at the
# same location as it would end
while ($starting_index < @hostname_components)
{
my $host_for_mx_lookup = 
join '.', 
@hostname_components[$starting_index .. $#hostname_components];


@mx = mx($res, $host_for_mx_lookup);

if (@mx)
{
last;
}
else
{
$starting_index++;
}
}

# If we still haven't found any records, then simply return FORBIDDEN,
# and log an error message
if (! @mx)
{
$r->log_error("No MX records for '$remote_hostname': ",
  $res->errorstring);

return FORBIDDEN;
}

# Grab the first MX record, and assume that it'll work.
my $mx_host = $mx[0]->exchange;
$r->log_error("CodeRed: Using MX host '$mx_host'");

# 

# Send e-mail to the webmaster, postmaster, and administrator,
# since the webmaster and/or postmaster addresses often doesn't
# work.
my $remote_webmaster_address = 
"webmaster\@$mx_host, postmaster\@$mx_host, administrator\@$mx_host";

# Set the outgoing message

my $outgoing_message = <.

This message was generated automatically by CodeRed.pm for mod_perl
and Apache, written by Reuven M. Lerner (<[EMAIL PROTECTED]>).

END

$r->log_error("CodeRed: Sending e-mail to '$remote_webmaster_address'");

my %mail = ( To  => $remote_webmaster_address,
 CC  => $cc_address,
 From=> '[EMAIL PROTECTED]',
 Subject => 'CodeRed infection',
 Message => $outgoing_message
   );

my $sendmail_success = sendmail(%mail);

if ($sendmail_success)
{
# Cache the fact that we saw this IP address
$file_cache->set($remote_ip_address, 1);

return FORBIDDEN;
}
else
{
$r->log_error("CodeRed: Mail::Sendmail returned '$Mail::Sendmail::error'");
return DECLINED;
}
}

# All modules must return a true value
1;

mod_perl not to work with 5.6?

2000-06-12 Thread Reuven M. Lerner


> Stas Bekman writes:

  Stas> Hey, who of the Perl teachers at Cruise said that?

  Stas>  
  Stas> 8.Perl 5.6, which seems like generally a very good thing,
  Stas> currently doesn't work in a mod_perl (i.e., Apache)
  Stas> context. This is a big problem for some people.
  Stas> 

  Stas> I guess a correction and an apology are due... :)

Given that Tim Bray (who co-invented XML and is an *amazing* speaker,
among other things) wrote the report from the Perl Whirl, and that his
report seems to reflect his interests and opinions, I'd guess that he
said it.

But I'll fess up: At my final Perl Whirl session, I talked about
mod_perl (and HTML::Mason) -- and I specifically told people that
there were all sorts of reports of instability between mod_perl and
Perl 5.6.0.

Indeed, if you look through the mod_perl list archives, you'll find
that there have been lots of postings in the last month or two
discussing problems between mod_perl and 5.6.  I'm not sure whether
the problem lies with one or the other, or with simple problems in the
interaction between the two programs.  But the problems do seem to
exist.

I haven't yet installed 5.6.0, even though some of the features are
incredibly cool, simply because I'm kinda chicken.  I've heard about
too many problems, particularly with mod_perl, Mason, and random other
things, to feel comfortable using it right now.  But hey, I would love
to be proven wrong on this subject.

Reuven

Re: [OT] New Micro$oft vulnerability?

Re: How do I STOP Apache::CodeRed sending me messages

Re: module to hit back at default.ida atack ?

Re: Revised CodeRed.pm - Wish List

Revised CodeRed.pm

Revised CodeRed.pm

mod_perl not to work with 5.6?

7 matches

Site Navigation

Mail list logo

Footer information