Why invent the wheel twice, this has been around since the first day
code red was discovered.. See code-red.php
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: den 10 september 2001 16:22
To: [EMAIL PROTECTED]
Subject: [PHP] Code Red Catcher
Hi All!
I had to unsubscribe for a little while due to the volume but did want
to
follow up on the Code Red catcher script. Anyone wanting a new copy of
the
script, please email me directly. I made a gob of changes to the
original
code, slimming it down some and improving the lookups just a bit.
What I DIDN'T expect was the reporting of over 100 Code Red attack
reports
per day. My word!! Obviously, the problem is STILL ongoing and far
worse
than has been reported in the news.
Mind you, I run a teeny-tiny, no-great-shakes, niche-ISP business.
We're
hardly mentioned in search engines and due to the type of data mining
and
collation we do, we're also hardly interesting. This leads me to
believe
that Code Red is still rampant and hungrily devouring as much of the
'net's
bandwidth as it can grab from as many locations as it can. Those large
ISP's serving millions of hits a day (as opposed to our meager 20
million a
month) must be suffering!
Never have I been so grateful for Linux, Apache, and PHP. Having a
little
door-guard watching the fort written in a language all-but immune to the
attacks has certainly opened my eyes and made me aware that even still,
many
people on the net are completely irresponsible about their updates and
their
security.
I won't lay the blame entirely at Microsoft for leaving such inexcusably
wide holes in products destined for interaction with the Web, but I'll
certainly lay a god bit of it on those who insist on using M$ software,
putting it directly on the net with no firewall and no updates. Putting
the
PHP Code Red detector script online has really shown me how bad the
problem
really is...and STILL is!
Bottom line, Hooray for PHP and Hooray for Apache... what a great
combination!
Best regards,
Bill
<http://www.>
<?
/*
Code red autoresponder does the following:
- Checks the whois for the attacking host
- Emails the offender Internet Service Provider, supplying hostname, target
and date
- Stores the attack into a file with information if email has been sent or:
- Stores the attack into /var/log/syslog
In order for this script to function, you need the following:
- Add .ida to AddType application/x-httpd-php in httpd.conf
- A writable directory for the user running the webserver or:
- A file called code-red_ips.txt in your $path which has mode 770
bad2da / Efnet #php
*/
/* Configuration */
$name = "webmaster";
$from = "webmaster@$HTTP_HOST";
$path = "/usr/local/apache/htdocs";
$logt = "syslog"; // file or syslog
/* Define Variables */
$date = date(r);
/* Is the client behind a proxy? */
if($HTTP_X_FORWARDED_FOR)
{
$ip = $HTTP_X_FORWARDED_FOR;
}
elseif($HTTP_VIA)
{
$ip = $HTTP_VIA;
}
elseif($REMOTE_ADDR)
{
$ip = $REMOTE_ADDR;
}
else
{
die();
}
$host = gethostbyaddr($ip);
/* Define email message */
$subject = "Code Red Infection Atempt from $ip to $HTTP_HOST";
$message = "At $date we received an Code Red Infection atempt from a webserver on
your network, mainly, ";
$message .= "$ip. We would like to help you out and prevent hosts from your network
from ";
$message .= "infecting any more hosts on the internet and putting a stop to the
worm\n\n\n";
$message .= "Information about the Code Red Virus Worm\n\n";
$message .= "A Very Real and Present Threat to the Internet:\n\n";
$message .= "Install the patch today\n\n";
$message .= "Summary: The Code Red Worm and mutations of the worm pose a continued ";
$message .= "and serious threat to Internet users. Immediate action is required to ";
$message .= "combat this threat. Users who have deployed software that is vulnerable
";
$message .= "to the worm (Microsoft IIS Versions 4.0 and 5.0) must install, if they
";
$message .= "have not done so already, a vital security patch\n\m";
$message .= "How Big Is The Problem? On July 19, the Code Red worm infected more ";
$message .= "than 250,000 systems in just 9 hours. The worm scans the Internet, ";
$message .= "identifies vulnerable systems, and infects these systems by installing
";
$message .= "itself. Each newly installed worm joins all the others causing the rate
";
$message .= "of scanning to grow rapidly. This uncontrolled growth in scanning
directly ";
$message .= "decreases the speed of the Internet and can cause sporadic but
widespread ";
$message .= "outages among all types of systems. Code Red is likely to start
spreading ";
$message .= "again on July 31st, 2001 8:00 PM EDT and has mutated so that it may be
even ";
$message .= "more dangerous. This spread has the potential to disrupt business and ";
$message .= "personal use of the Internet for applications such as electronic
commerce, ";
$message .= "email and entertainment.\n\n";
$message .= "Who Must Act? Every organization or person who has Windows NT or
Windows ";
$message .= "2000 systems AND the IIS web server software may be vulnerable. IIS is
";
$message .= "installed automatically for many applications. If you are not certain,
";
$message .= "follow the instructions to determine whether you are running IIS 4.0 or
";
$message .= "5.0. If you are using Windows 95, Windows 98, Windows Me, Windows XP ";
$message .= "RC1 or later, or Windows .NET Server build 3505 or later, there is no ";
$message .= "action that you need to take in response to this alert.\n\n";
$message .= "What To Do If You Are Vulnerable?\n\n";
$message .= "a. To rid your machine of the current worm, reboot your computer.\n";
$message .= "b. To protect your system from re-infection: Install the patch ";
$message .= "as specified in the instructions.\n\n";
$message .= "The security bulletin that describes the patch and the vulnerability ";
$message .= "it addresses is posted at: ";
$message .= "http://www.microsoft.com/technet/security/bulletin/MS01-033.asp\n\n";;
$message .= "Because of the importance of this threat, ";
$message .= "this alert is being made jointly by: \n";
$message .= "Microsoft \n";
$message .= "The National Infrastructure Protection Center \n";
$message .= "Federal Computer Incident Response Center (FedCIRC) \n";
$message .= "Information Technology Association of America (ITAA) \n";
$message .= "CERT Coordination Center \n";
$message .= "SANS Institute \n";
$message .= "Internet Security Systems \n";
$message .= "Internet Security Alliance \n";
$headers .= "From: $name <$from>\n";
$headers .= "X-Mailer: PHP\n"; // mailer
$headers .= "X-Priority: 1\n"; // Urgent message!
$headers .= "Return-Path: <$from>\n"; // Return path for errors
/* Get a whois output from whois.ripe.net */
@exec("/usr/bin/whois $[EMAIL PROTECTED]",$whois,$status);
/* Parse the email addresses from the output */
while(list($key,$value) = each($whois))
{
if(strstr($value,"abuse@"))
{
$email = strstr($value,"abuse@");
$email = chop(trim($email));
$abuse[] = $email;
}
elseif(substr($value,0,6) == "e-mail" || substr($value,0,6) == "notify")
{
$email = strstr($value," ");
$email = chop(trim($email));
$notabuse[] = $email;
}
}
if($logt == "file")
{
$fp = fopen($path . "/code-red_ips.txt","a+");
}
elseif($logt == "syslog")
{
define_syslog_variables();
openlog("httpd", LOG_PERROR, LOG_DAEMON);
}
/* Email the offender */
if(!empty($abuse))
{
while(list($key,$var) = each($abuse))
{
mail($var, $subject, $message, $headers);
if($logt == "file")
{
fputs($fp,"$host " . date(r) . " - Email sent to $var\n");
}
elseif($logt == "syslog")
{
syslog(LOG_WARNING,"Code red from $host email sent to $var");
}
}
}
elseif(!empty($notabuse))
{
while(list($key,$var) = each($notabuse))
{
mail($var, $subject, $message, $headers);
if($logt == "file")
{
fputs($fp, "$host " . date(r) . " - Email sent to $var\n");
}
elseif($logt == "syslog")
{
syslog(LOG_WARNING,"Code red from $host email sent to $var");
}
}
}
else
{
fputs($fp, "$host " . date(r) . " - Email not sent!\n");
}
if($logt == "file")
{
fclose($fp);
}
elseif($logt == "syslog")
{
closelog();
}
?>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
