Dear All: Due to popular demand I've put the newest version of the Code Red detector on one of my servers in public, anonymous FTP. The URL is ftp://ftp.compuphrase.net/pub/codered <ftp://ftp.compuphrase.net/pub/codered> . After some research (annotated in the propaganda), I added the last 10 or so lines of code late yesterday to do the following: 1. Ascertain if this is a browser poking around or is it a true attack? Apparently the worm doesn't send a User-Agent header. 2. If there's no user agent, it's most likely that the attack is coming from IIS directly. If this is the case, cause a browser to pop up on the infected machine's console advising the admin that the attack has been detected and reported. 3. If User-Agent has a value in it, then the supposed attack is coming from a browser. Redirect that browser to the "anticodered.html" page. There are two items in the codered FTP folder: codered.php which must be put in your default web server's top directory. Remember, the worm isn't sending Host headers, either, so if you're using virtual name hosting on Apache, ONLY the default server will be hit. You must also rename this file to "default.ida" and do remember to make the AddType directive change in Apache. This is also annotated at the top of codered.php. The second item is the body of the anti-Code Red html page. There's no head or body section in that HTML codelet, which will allow you to cut-and-paste it directly into your template to keep your site's look and feel. Name it what you will, but make sure that the configuration at the top of default.ida matches. Any improvements or suggestions will be welcome. I'm still logging over 100 attempts per day and it doesn't seem to be slowing down any at all. I'd love to hear about your results and possibly some better techniques for the free-text parsing bit in the middle that finds the ISP from one of the major authorities. I realise that this appears kinda hasty. I didn't expect such a heavy or fast response. I really appreciate all of your help in getting me on my feet in PHP. The transition from ASP to PHP was much easier due to the warm support and education from all of you on the list. Enjoy! Bill Farrell Web Implementer http://www.compuphrase.com <http://www.compuphrase.com>
