Hi All,
Like many people I started getting annoyed with how many code red hits I was
getting
on my local e-smith server, actually for a while it was getting really bad,
like 20 or so
requests per day. So I decided do write a little PHP routine to handle the
requests and
send a response to the company that the IP's belong to.
Yes there are a couple of bugs and its not as clean as I would like to have
made it but
after 2 weeks of running it, I have had 1 code red scan :).
Firstly I checked my logs to see what files were being scanned for, usually
this is either \scripts\Admin.dll or \scripts\root.exe.
I created a directory called scripts under my HTML directory then created
the files with the same name, in the files I placed the PHP routine attached
below..
I think edited the httpd.conf file so that the files would be served up
using the PHP engine
It should be possible to do a mod_rewrite instead but having never done this
myself
I decided to choose the simple way.
The code is below..
Regards
Andrew Hooper
--- HERE'S THE CODE ---
<?
# DO NOT REMOVE THE FOLLOWING NOTICE AND DISCLAIMER#
# This PHP script was originally written by Andrew Hooper,
[EMAIL PROTECTED]
# and is provided without warranty of any sort, if you choose to use it you
do so
# at your own risk, you may modify or alter this script in any way you
choose
# however this disclaimer must be included with the script at all times (and
I would
# appreciate a copy of the modified script if possible), If this script or
part of it is
# to be used or included with a product that is to be sold for profit or
gain then a
# legitimate copy of that product including any licenses should be provided
to me
# at no cost :). A FREE COPY OF SME would be nice !!!!.
# Address of the Whois Server to use for your NIC Lookup.
$whois_server = "whois.apnic.net";
# Details for the System Administrator or WebMaster
$administrator = "Your SYSADMIN's Name"; #Name of the System
Administrator.
$admin_title = "System Administrator"; #Title or Position of
the
Administrator.
$admin_email = "[EMAIL PROTECTED]"; #e-mail address for the
Administrator.
$admin_phone = "+555 555-5555"; #Phone Number for Admin.
$attempt_IP = getenv("REMOTE_ADDR");
$attacked_page = $HTTP_SERVER_VARS['PHP_SELF'];
$attack_method = $HTTP_SERVER_VARS['REQUEST_METHOD'];
$attempt_date = date("Y-m-d");
$attempt_time = date("H:i:s");
# Set the message to be used.
$sent_to = "This message was also sent to";
$warning_message = "An attempt was made to scan our network by a machine
that may be infected with the Code Red Virus or may
have a similar infection.\r
The details of the scan are set out below.\r
Date of Scan : $attempt_date\r
Time of Scan : $attempt_time\r
(the above is NZ Pacific Time or +12hrs GMT)\r
Originating IP Address : $attempt_IP\r
Page Requested : $attacked_page\r
Request Method : $attack_method\r
If you need any further information please contact us
immediatley either by phone or by return email at the
address listed below.\r
Regards\n\r
$administrator\r
$admin_title\r
$admin_email\r
$admin_phone\r
This script was written by Andreew Hooper [EMAIL PROTECTED], if you
find it usefull
please let me know.\n\r";
# Lookup the details on the whois server.
$nic_info = exec("whois -h $whois_server $attempt_IP",$nic_data);
for($i=0;$i<=count($nic_data);$i++){
$nic_email = strstr($nic_data[$i], "e-mail:");
$nic_email = rtrim(substr($nic_email, strpos($nic_email, " ")));
$nic_email = ltrim($nic_email);
if($nic_email){
echo "
********************************************************************<br>\r
** Your attempt at exploiting this server has been logged !
**<br>\r
** Attack Date: $attempt_date - Attack Time: $attempt_time
**<br>\r
** Attacker's IP = $attempt_IP.
**<br>\r
** e-mail sent to $nic_email
**<br>\r
********************************************************************<br>\n\r
";
$sent_to = $sent_to . $nic_email;
#Email the appropriate person (for each email address found)
mail("$admin_email;$nic_email", "WARNING : Possible Code Red infection on
your network!",
$warning_message,
"From: $admin_email\r\n"
."Reply-To: $admin_email\r\n"
."X-Mailer: PHP/" . phpversion());
}
}
#Email the System Administrator
mail("$admin_email", "WARNING : Possible Code Red infection on your
network!",
$warning_message . $sent_to,
"From: $admin_email\r\n"
"Reply-To: $admin_email\r\n"
."X-Mailer: PHP/" . phpversion());
?>
--
Please report bugs to [EMAIL PROTECTED]
Please mail [EMAIL PROTECTED] (only) to discuss security issues
Support for registered customers and partners to [EMAIL PROTECTED]
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
