Why invent the wheel twice, this has been around since the first day
code red was discovered.. See code-red.php

-----Original Message-----
Sent: den 10 september 2001 16:22
Subject: [PHP] Code Red Catcher

Hi All!
I had to unsubscribe for a little while due to the volume but did want
follow up on the Code Red catcher script.  Anyone wanting a new copy of
script, please email me directly.  I made a gob of changes to the
code, slimming it down some and improving the lookups just a bit.
What I DIDN'T expect was the reporting of over 100 Code Red attack
per day.  My word!!  Obviously, the problem is STILL ongoing and far
than has been reported in the news.
Mind you, I run a teeny-tiny, no-great-shakes, niche-ISP business.
hardly mentioned in search engines and due to the type of data mining
collation we do, we're also hardly interesting.  This leads me to
that Code Red is still rampant and hungrily devouring as much of the
bandwidth as it can grab from as many locations as it can.  Those large
ISP's serving millions of hits a day (as opposed to our meager 20
million a
month) must be suffering!
Never have I been so grateful for Linux, Apache, and PHP.  Having a
door-guard watching the fort written in a language all-but immune to the
attacks has certainly opened my eyes and made me aware that even still,
people on the net are completely irresponsible about their updates and
I won't lay the blame entirely at Microsoft for leaving such inexcusably
wide holes in products destined for interaction with the Web, but I'll
certainly lay a god bit of it on those who insist on using M$ software,
putting it directly on the net with no firewall and no updates.  Putting
PHP Code Red detector script online has really shown me how bad the
really is...and STILL is!
Bottom line, Hooray for PHP and Hooray for Apache... what a great
Best regards,

        Code red autoresponder does the following:
        - Checks the whois for the attacking host
        - Emails the offender Internet Service Provider, supplying hostname, target 
and date
        - Stores the attack into a file with information if email has been sent or:
        - Stores the attack into /var/log/syslog

        In order for this script to function, you need the following:
        - Add .ida to AddType application/x-httpd-php in httpd.conf
        - A writable directory for the user running the webserver or:
        - A file called code-red_ips.txt in your $path which has mode 770

        bad2da / Efnet #php 


  /* Configuration */

  $name = "webmaster";
  $from = "webmaster@$HTTP_HOST";
  $path = "/usr/local/apache/htdocs";
  $logt = "syslog"; // file or syslog

  /* Define Variables */
  $date = date(r);

  /* Is the client behind a proxy? */

   $ip = $HTTP_VIA;
   $ip = $REMOTE_ADDR;
  $host = gethostbyaddr($ip);

  /* Define email message */
  $subject = "Code Red Infection Atempt from $ip to $HTTP_HOST";
  $message =  "At $date we received an Code Red Infection atempt from a webserver on 
your network, mainly, ";
  $message .= "$ip. We would like to help you out and prevent hosts from your network 
from ";
  $message .= "infecting any more hosts on the internet and putting a stop to the 

  $message .= "Information about the Code Red Virus Worm\n\n";

  $message .= "A Very Real and Present Threat to the Internet:\n\n";

  $message .= "Install the patch today\n\n";

  $message .= "Summary: The Code Red Worm and mutations of the worm pose a continued ";
  $message .= "and serious threat to Internet users. Immediate action is required to ";
  $message .= "combat this threat. Users who have deployed software that is vulnerable 
  $message .= "to the worm (Microsoft IIS Versions 4.0 and 5.0) must install, if they 
  $message .= "have not done so already, a vital security patch\n\m";

  $message .= "How Big Is The Problem? On July 19, the Code Red worm infected more ";
  $message .= "than 250,000 systems in just 9 hours. The worm scans the Internet, ";
  $message .= "identifies vulnerable systems, and infects these systems by installing 
  $message .= "itself. Each newly installed worm joins all the others causing the rate 
  $message .= "of scanning to grow rapidly. This uncontrolled growth in scanning 
directly ";
  $message .= "decreases the speed of the Internet and can cause sporadic but 
widespread ";
  $message .= "outages among all types of systems. Code Red is likely to start 
spreading ";
  $message .= "again on July 31st, 2001 8:00 PM EDT and has mutated so that it may be 
even ";
  $message .= "more dangerous. This spread has the potential to disrupt business and ";
  $message .= "personal use of the Internet for applications such as electronic 
commerce, ";
  $message .= "email and entertainment.\n\n";

  $message .= "Who Must Act? Every organization or person who has Windows NT or 
Windows ";
  $message .= "2000 systems AND the IIS web server software may be vulnerable. IIS is 
  $message .= "installed automatically for many applications. If you are not certain, 
  $message .= "follow the instructions to determine whether you are running IIS 4.0 or 
  $message .= "5.0. If you are using Windows 95, Windows 98, Windows Me, Windows XP ";
  $message .= "RC1 or later, or Windows .NET Server build 3505 or later, there is no ";
  $message .= "action that you need to take in response to this alert.\n\n";

  $message .= "What To Do If You Are Vulnerable?\n\n";

  $message .= "a. To rid your machine of the current worm, reboot your computer.\n";
  $message .= "b. To protect your system from re-infection: Install the patch ";
  $message .= "as specified in the instructions.\n\n";

  $message .= "The security bulletin that describes the patch and the vulnerability ";
  $message .= "it addresses is posted at: ";
  $message .= "http://www.microsoft.com/technet/security/bulletin/MS01-033.asp\n\n";;

  $message .= "Because of the importance of this threat, ";
  $message .= "this alert is being made jointly by: \n";
  $message .= "Microsoft \n";
  $message .= "The National Infrastructure Protection Center \n";
  $message .= "Federal Computer Incident Response Center (FedCIRC) \n";
  $message .= "Information Technology Association of America (ITAA) \n";
  $message .= "CERT Coordination Center \n";
  $message .= "SANS Institute \n";
  $message .= "Internet Security Systems \n";
  $message .= "Internet Security Alliance \n";

  $headers .= "From: $name <$from>\n";
  $headers .= "X-Mailer: PHP\n"; // mailer
  $headers .= "X-Priority: 1\n"; // Urgent message!
  $headers .= "Return-Path: <$from>\n";  // Return path for errors

  /* Get a whois output from whois.ripe.net */
  @exec("/usr/bin/whois $[EMAIL PROTECTED]",$whois,$status);

  /* Parse the email addresses from the output */
  while(list($key,$value) = each($whois)) 
        $email = strstr($value,"abuse@");
        $email = chop(trim($email));
        $abuse[] = $email;
   elseif(substr($value,0,6) == "e-mail" || substr($value,0,6) == "notify") 
        $email = strstr($value," ");
        $email = chop(trim($email));
        $notabuse[] = $email;

  if($logt == "file")
   $fp = fopen($path . "/code-red_ips.txt","a+");
  elseif($logt == "syslog")
   openlog("httpd", LOG_PERROR, LOG_DAEMON);

  /* Email the offender */
   while(list($key,$var) = each($abuse)) 
    mail($var, $subject, $message, $headers);
    if($logt == "file")
     fputs($fp,"$host " . date(r) . " - Email sent to $var\n"); 
    elseif($logt == "syslog") 
     syslog(LOG_WARNING,"Code red from $host email sent to $var");
   while(list($key,$var) = each($notabuse)) 
    mail($var, $subject, $message, $headers);
    if($logt == "file")  
     fputs($fp, "$host " . date(r) . " - Email sent to $var\n");
    elseif($logt == "syslog") 
     syslog(LOG_WARNING,"Code red from $host email sent to $var");
   fputs($fp, "$host " . date(r) . " - Email not sent!\n");

  if($logt == "file")
  elseif($logt == "syslog")

PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to